

Are You Scrubbing the Twitter Stream on Your Web Site? - lmacvittie
http://devcentral.f5.com/weblogs/macvittie/archive/2010/03/25/are-you-scrubbing-the-twitter-stream-on-your-web-site.aspx

======
Tichy
Just classic XSS.

However, since I am currently also writing an app that includes Tweets, can
anybody recommend a good way to escape HTML in JavaScript? To my surprise I
could not find a quick answer (using jQuery atm). A lot of forums recommend
just replacing "<" and ">", but I feel I would have to do more research to be
sure that is sufficient. For one thing this would fail within HTML attributes
(for example URLs pointing to twitter users, with the name taken from the
tweet). I am also not certain about character encodings.

I'd prefer to have a tried and tested library to do the escaping, even if in
the end it is just a one-liner.

~~~
marcinw
Check out [http://code.google.com/p/owasp-esapi-
js/source/browse/trunk/...](http://code.google.com/p/owasp-esapi-
js/source/browse/trunk/src/main/javascript/org/owasp/esapi/)

While it may be overkill, replacing just < and > is nowhere near enough. You
have to consider HTML attributes, URL's, CSS, and Javascript.

At an absolute minimum, these chars need to be encoded for the context they're
rendered in:

< > ' " ( ) [ ] { }

and for good measure:

\ /

(disclaimer: any attacks that somehow bypass this (should not if done
properly), would be truly unique to the application)

