XSS_HEADER_VALUE
- ●The group contains XSS deny rules for HTTP header values.
- ●The security level Basic prevents injection of <script> and known HTML event handlers (e.g. "onload").
- ●The security level Standard prevents injection of JavaScript code in quoted context.
- ●The security level Strict prevents injection of JavaScript code in unquoted context.
Included Deny Rules
Rule name | Basic | Standard | Strict |
(default XSS_001b) Source attribute of critical HTML tag in HTTP header value | |||
(default XSS_005b) HTML script tag in HTTP header value | |||
(default XSS_020b) Injection in link attributes in HTTP header value | |||
(default XSS_025b) Refresh rate manipulation in HTTP header value | |||
(default XSS_030b) JavaScript in quoted context in HTTP header value | |||
(default XSS_040b) HTML event handler in HTTP header value | |||
(default XSS_050b) CSS expression in HTTP header value | |||
(default XSS_055b) XSS filter evasion using arrays and objects in HTTP header value |
