HTML: Should I encode greater than or not? ( > > )

html encoding xss
Bryan Field picture Bryan Field · Jan 25, 2012 · Viewed 56k times · Source

When encoding possibly unsafe data, is there a reason to encode >?

  • It validates either way.
  • The browser interprets the same either way, (In the cases of attr="data", attr='data', <tag>data</tag>)

I think the reasons somebody would do this are

  • To simplify regex based tag removal. <[^>]+>? (rare)
  • Non-quoted strings attr=data. :-o (not happening!)
  • Aesthetics in the code. (so what?)

Am I missing anything?

Answer

Niet the Dark Absol picture Niet the Dark Absol · Jan 25, 2012

Strictly speaking, to prevent HTML injection, you need only encode < as &lt;.

If user input is going to be put in an attribute, also encode " as &quot;.

If you're doing things right and using properly quoted attributes, you don't need to worry about >. However, if you're not certain of this you should encode it just for peace of mind - it won't do any harm.

Related questions

HTML encoding issues - "Â" character showing up instead of "&nbsp;"

I've got a legacy app just starting to misbehave, for whatever reason I'm not sure. It generates a bunch of HTML that gets turned into PDF reports by ActivePDF. The process works like this: Pull an HTML template from a …

Read More
Is a URL allowed to contain a space?

Is a URI (specifically an HTTP URL) allowed to contain one or more space characters? If a URL must be encoded, is + just a commonly followed convention, or a legitimate alternative? In particular, can someone point to an RFC that …

Read More
In HTML I can make a checkmark with &#x2713; . Is there a corresponding X-mark?

Is there a corresponding X mark to ✓ (&#x2713;)? What is it?

Read More