ContextSafeness
abstract class ContextSafeness
Methods
static string[]
getDisallowedCharactersAsURL()
Get the list of UTF-8 characters that are disallowed as a URL
static string[]
getDisallowedCharactersInCSS()
Get the list of UTF-8 characters that are disallowed in CSS
static string[]
getDisallowedCharactersInJS()
Get the list of UTF-8 characters that are disallowed in JS
Details
at line 19
static string[]
getDisallowedCharactersAsURL()
Get the list of UTF-8 characters that are disallowed as a URL
":" is disallowed to prevent the URL to have a scheme.
at line 36
static string[]
getDisallowedCharactersInCSS()
Get the list of UTF-8 characters that are disallowed in CSS
- "(" and ")" are disallowed to prevent executing CSS functions or proprietary extensions that may execute JavaScript.
- ":" is disallowed to prevent setting extra CSS properties as well as possibly misusing the url() function with javascript: URIs.
- "\", '"' and "'" are disallowed to prevent breaking out of or interfering with strings.
- ";", "{" and "}" to prevent breaking out of a declaration
at line 58
static string[]
getDisallowedCharactersInJS()
Get the list of UTF-8 characters that are disallowed in JS
Allowing any input inside of a JavaScript context is a risky proposition. The use cases are also pretty rare. This list of disallowed characters attempts to block any character that is potentially unsafe either inside or outside of a string.
- "(" and ")" are disallowed to prevent executing functions.
- '"', "'", "\" and "`" are disallowed to prevent breaking out of or interfering with strings.
- "\r", "\n", U+2028 and U+2029 are disallowed inside of JavaScript strings.
- ":" and "%" are disallowed to prevent potential exploits that set document.location to a javascript: URI.
- "=" is disallowed to prevent overwriting existing vars (or constructors, such as Array's) if the input is used outside of a string