escaping - Cross Site Scripting (XSS): Do I need to escape the ampersand?

Question

I want to escape for XSS in an HTML context, and so far I treat the <, >, and " characters. Apparently it is recommended to escape the ampersand as well, but why? (Other than for keeping the HTML valid, let's assume that this is not an issue)

So what I am asking is: When I escape <, > and ", can someone demonstrate how the ampersand can still allow an XSS attack in an HTML context?

Cheers!

Answer 1

You should really take a look at the OWASP XSS Prevention Cheat Sheet.

You should escape & because it can be used to circumvent other defenses. Consider this code:

<button onclick="confirm('Do you really want to delete <%= data_from_user; %> ?'">Delete</button>

To defend against XSS inside the onclick event handler, the developer escapes ', ", < and > in data_from_user and thinks everything is ok. The problem is that if the attacker types ' which passes the escaping, but ends up allowing the attacker to run javascript.

Example here: http://erlend.oftedal.no/blog/?blogid=124