For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Jeff_42220's avatar
Jeff_42220
Icon for Nimbostratus rankNimbostratus
Aug 24, 2009

URI::encode question

  Does the "URI::encode" command replace unsafe ASCII characters and thus prevent XSS vulnerabilities? I think that is the point of the "URI::encode" command but the devcentral explanation of th...
application delivery
dev
devops
iRules
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Aug 24, 2009
2 part answer:

 

 

I believe that URI::encode is meant to encode URI address strings, while most XSS exploits live in the body content. You don't see a lot of JavaScript URI exploits unless the app is written really badly. You can technically URI::encode anything though, including body content. But that job is usually better left to the application environment (i.e. PHP -> HTMLENTITIES()).

 

 

While URI::encode does provide some level of protection from the more mundane "" type exploits, I wouldn't rely on it solely to protect your site from XSS. Good coding practices, input validation, and white listing are your best bets against cross site scripting attacks.

 

 

Kevin