Encode system outputs
Summary
The system output must be encoded in the corresponding language (escaping).
Description
System components use structured messages to communicate with other components. When these messages include input from untrusted sources and this input is not properly escaped, they become prone to the insertion of malicious commands. For this reason, encoding or escaping must occur before sending the messages.
References
- CAPEC-18. XSS targeting non-script elements
- CAPEC-19. Embedding scripts within scripts
- CAPEC-32. XSS through HTTP query strings
- CAPEC-48. Passing local filenames to functions that expect a URL
- CAPEC-130. Excessive allocation
- CAPEC-153. Input data manipulation
- CAPEC-240. Resource injection
- CAPEC-242. Code injection
- CAPEC-248. Command injection
- CWE-116. Improper encoding or escaping of output
- CWE-117. Improper output neutralization for logs
- CWE-173. Improper handling of alternate encoding
- OWASP10-A3. Injection
- OWASP10-A9. Security logging and monitoring failures
- CERTC-FIO30-C. Exclude user input from format strings
- MITRE-M1013. Application developer guidance
- PADSS-1_1_1. Do not store full contents of any track from the magnetic stripe
- PADSS-1_1_2. Do not store the card verification value or code used to verify transactions
- PADSS-5_2_1. Injection flaws, particularly SQL injection
- SANS25-2. Improper neutralization of input during web page generation (cross-site scripting)
- HITRUST-09_v. Electronic messaging
- HITRUST-10_e. Output data validation
- FEDRAMP-PE-16. Delivery and removal
- IEC62443-IAC-1_13. Access via untrusted networks
- WASC-W_22. Improper output handling
- PTES-6_2_1_1. Exploitation - Countermeasures (anti-virus encoding)
- MVSP-2_5. Application design controls - Security libraries
- OWASPSCP-2. Output encoding
- OWASPSCP-9. Communication security
- OWASPSCP-11. Database security
- OWASPSCP-13. Memory management
- BSAFSS-SC_3-2. Secure Coding (secure software against unsafe functions)
- BSAFSS-LO_2-4. Implement securely logging mechanisms
- ASVS-1_5_4. Input and output architecture
- ASVS-5_3_1. Output encoding and injection prevention
- OWASPAPI-API8. Security Misconfiguration
- CASA-1_5_4. Input and Output Architecture
- CASA-5_3_1. Output Encoding and Injection Prevention
- CWE25-79. Improper neutralization of input during web page generation (cross-site scripting)
- OWASPLLM-LLM01:2025. Prompt Injection
- OWASPLLM-LLM08:2025. Vector and Embedding Weaknesses
Weaknesses
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan.If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.
Supported In
This requirement is verified in following services
Essential Plan
Advanced Plan