Deny Rule Group – (default) HTML Injection in Header Value

HTML_HEADER_VALUE

  • The group prevents HTML injection through HTTP header values.
  • The security level Basic does not prevent any HTML injection.
  • The security level Standard prevents injection of well known HTML tags (e.g. <img src="path">) as well as injection of well known HTML attribute names in a single or double quoted attribute value (e.g. ' href="URL").
  • The security level Strict prevents injection of any kind of HTML tags as well as injection of any kind of HTML attribute names in a single or double quoted attribute value.

Included Deny Rules

Rule name

Basic

Standard

Strict

(default HTML_001b) HTML tag in HTTP header value

Icon - ON

(default HTML_002b) Known HTML tag in HTTP header value

Icon - ON

(default HTML_003b) HTML attribute in quoted context in HTTP header value

Icon - ON

(default HTML_004b) Known HTML attribute in quoted context in HTTP header value

Icon - ON