Weird title, huh?
When creating templates, pages and action responses for your web application you really need to take HTML escaping into consideration. Sometimes the use cases of the system are so many that you may omit HTML escaping for some piece of dynamic or user entered text.
HTML escaping means converting <foo>bar & " to <foo>bar & " in the HTML source.
Reasons for making your HTML output valid include:
- It’s the “right thing to do”
- Does not tire the browser
- Allows you to manually detect (via CTRL+SHIFT+A on web developer toolbar) for real HTML output errors
- Saves you from css rendering issues due to HTML anomalies
- Ensures your content is easily parsable from third party agents (crawlers, scrappers, XSLT transformators etc)
So my favourite string is <script’”<i>
You can alter your development database content using statements like these:
update articles set title=concat("<script'\"<i>", title); update users set firstname=concat("<script'\"<i>", lastname), lastname=concat("<script'\"<i>", lastname); update categories set title=concat("<script'\"<i>", title); ...
If after this database content change your site is not functional then there is a problem. You can also check for HTML validity with CTRL+SHIFT+A on web developer toolbar and quickly spot areas where you missed HTML escaping.
You could even automate this whole process by having a tool (JTidy?) scan that all your pages and use cases produce valid HTML. So indirectly you would be testing for insecure (in XSS terms) parts of the application.