Introduction to Web APPs
URL Encoding
An important concept to learn in HTML is URL Encoding, or percent-encoding. For a browser to properly display a page's contents, it has to know the charset in use. In URLs, for example, browsers can only use ASCII encoding, which only allows alphanumerical characters and certain special characters. Therefore, all other characters outside of the ASCII character-set have to be encoded within a URL. URL encoding replaces unsafe ASCII characters with a % symbol followed by two hexadecimal digits.
For example, the single-quote character ''' is encoded to '%27', which can be understood by browsers as a single-quote. URLs cannot have spaces in them and will replace a space with either a + (plus sign) or %20. Some common character encodings are:
| Character | Encoding |
|---|---|
| space | %20 |
| ! | %21 |
| " | %22 |
| # | %23 |
| $ | %24 |
| % | %25 |
| & | %26 |
| ' | %27 |
| ( | %28 |
| ) | %29 |
A full character encoding table can be seen here.
XSS
| Type | Description |
|---|---|
| Reflected XSS | Occurs when user input is displayed on the page after processing (e.g., search result or error message). |
| Stored XSS | Occurs when user input is stored in the back end database and then displayed upon retrieval (e.g., posts or comments). |
| DOM XSS | Occurs when user input is directly shown in the browser and is written to an HTML DOM object (e.g., vulnerable username or page title). |