Deny Rule Group – (default) Cross-Site Scripting (XSS) in Parameter Value

XSS_PARAM_VALUE

  • The group contains XSS deny rules for parameter values.
  • The security level Basic prevents injection of <script> and known HTML event handlers (e.g. "onload").
  • The security level Standard prevents injection of JavaScript code in quoted context.
  • The security level Strict prevents injection of JavaScript code in unquoted context.

Included Deny Rules

Rule name

Basic

Standard

Strict

(default 02) Cross-site scripting rule for values

(default XSS_001a) Source attribute of critical HTML tag in parameter value

Icon - ON

Icon - ON

Icon - ON

(default XSS_005a) HTML script tag in parameter value

Icon - ON

Icon - ON

Icon - ON

(default XSS_020a) Injection in link attributes in parameter value

Icon - ON

Icon - ON

(default XSS_025a) Refresh rate manipulation in parameter value

Icon - ON

Icon - ON

(default XSS_030a) JavaScript in quoted context in parameter value

Icon - ON

Icon - ON

(default XSS_035a) JavaScript in unquoted context in parameter value

Icon - ON

(default XSS_040a) HTML event handler in parameter value

Icon - ON

Icon - ON

Icon - ON

(default XSS_050a) CSS expression in parameter value

Icon - ON

Icon - ON

(default XSS_055a) XSS filter evasion using arrays and objects in parameter value

Icon - ON

Icon - ON