(default) HTML Injection in Parameter Value
Deny Rule Group – (default) HTML Injection in Parameter Value

HTML_PARAM_VALUE

  • The group prevents HTML injection through HTTP parameter values.
  • The security level Basic does not prevent any HTML injection.
  • The security level Standard prevents injection of well known HTML tags (e.g. <img src="path">) as well as injection of well known HTML attribute names in a single or double quoted attribute value (e.g. ' href="URL").
  • The security level Strict prevents injection of any kind of HTML tags as well as injection of any kind of HTML attribute names in a single or double quoted attribute value.

Included Deny Rules

Rule name
Basic
Standard
Strict
(default HTML_001a) HTML tag in parameter value
Icon - ON
(default HTML_002a) Known HTML tag in parameter value
Icon - ON
(default HTML_003a) HTML attribute in quoted context in parameter value
Icon - ON
(default HTML_004a) Known HTML attribute in quoted context in parameter value
Icon - ON