HTML-Entity escaping to prevent XSS

题

I have some user input. Within my code, I ensure that the following symbols are escaped:

& -> &amp; 
< -> &lt; 
> -> &gt;

OWASP states that there are more chars to be escaped.

For attributes, I do another kind of escaping:

& -> &amp; 
" -> &quot;

This ensures that all attributes are enclosed by ". This makes me sure about my html-attributes, but not about HTML itself.

I wonder if my escaping is sufficient. I've read this post, but I'm still not sure about my concern.

(JavaScripts are escaped with the OWASP-Library)

没有正确的解决方案

许可以下： CC-BY-SA 和归因