Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

​Is it necessary to remove '#' special character in XSS filter?

former_member628981
Explorer

on ‎2019 Oct 07 7:58 AM

0 Likes
610

Dear Experts.

Is it necessary to remove '#' special character(\u0023, Number sign, Hash mark) in XSS filter?

Is there any reason to remove '#' from XSS filter?

I found that this rule is removing '#'.

xss.filter.rule.javascript2=(?i)\\u0023

Other rules remove '<', '>' characters already, and prevent javascript xss attack. nevertheless, Is it necessary to remove '#' special character additionaly?

Any Pointers will be helpful.

Thank you for taking the time to read this thread.

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (0)

Answers (1)

Answers (1)

former_member634920
Explorer
‎2019 Oct 25 2:41 PM
0 Likes

Hello,

It should stay enabled due OWASP compliance https://blog.appsecco.com/automating-discovery-and-exploiting-dom-client-xss-vulnerabilities-using-s...

You can create your own XSS Filter with corresponding XSSValueTranslator to add some custom logic if needed

Regards,

Mykhailo

Show replies
Show replies
Ask a Question