For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Jeff_42220's avatar
Jeff_42220
Icon for Nimbostratus rankNimbostratus
Aug 24, 2009

URI::encode question

  Does the "URI::encode" command replace unsafe ASCII characters and thus prevent XSS vulnerabilities? I think that is the point of the "URI::encode" command but the devcentral explanation of th...
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Aug 25, 2009
Sorry, the HTML encoding didn't make it through.

 

 

HTML encoding prevents the client from interpreting any metacharacters as the actual metacharacter. For example, if you HTML encode a script like it becomes & lt ; script & gt ; alert ( ' xss ' ) & lt ; / script & gt ; (without the spaces). The browser would HTML decode this and display , but would not execute the resulting string.

 

 

As a good example, the DC forum web app is HTML encoding the post content, so the script tags are displayed by the client browser but not executed as scripts.

 

 

Aaron