
30
seCure develoPment For mobIle APPs
Rule #1—HTML Escape before Inserting Untrusted Data into HTML Element Content
Rule #1 is for when you want to put untrusted data directly into the HTML body some-
where. is includes inside normal tags like div, p, b, td, etc. Most web frameworks have
a method for HTML escaping for the characters detailed below. However, this isabso-
lutely not sufficient for other HTML contexts. You need to implement the other rules
detailed here as well.
<body> ...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE ...</body>
<div> ...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE ...</div>
<p> ...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE ...