October 31, 2017

Output Encoding

Output Encoding

  • Conduct all encoding on a trusted system (e.g., The server).
  • Utilize a standard, tested routine for each type of outbound encoding.
  • Contextually output encode all data returned to the client that originated outside the application’s trust boundary. HTML entity encoding is one example, but does not work in all cases.
  • Encode all characters unless they are known to be safe for the intended interpreter.
  • Contextually sanitize all output of un-trusted data to queries for SQL, XML, and LDAP.
  • Sanitize all output of un-trusted data to operating system commands.