Output Encoding
What is Output Encoding?
Output EncodingTransforming untrusted data into a form that is safe for a specific output context — HTML, JavaScript, URL, SQL, shell — so it cannot break out and execute as code.
Output encoding (or escaping) is the primary control against injection vulnerabilities that surface when data is rendered into another interpreter. Each context has its own rules: HTML entity encoding for HTML body, attribute encoding for HTML attributes, JavaScript Unicode escapes for JS string literals, percent-encoding for URLs, and parameterized APIs for SQL or shells. Encoding must be applied at the exact point where data leaves the application's trust boundary and enters a downstream interpreter, using the encoder that matches that context. Combined with input validation and parameterized queries, output encoding is one of the core countermeasures for XSS, HTML injection, command injection and CSV injection.
● Examples
- 01
HTML-entity-encoding user comments before rendering them in a page body to stop reflected XSS.
- 02
JavaScript-encoding values inserted into a JS string literal in a server-rendered template.
● Frequently asked questions
What is Output Encoding?
Transforming untrusted data into a form that is safe for a specific output context — HTML, JavaScript, URL, SQL, shell — so it cannot break out and execute as code. It belongs to the Application Security category of cybersecurity.
What does Output Encoding mean?
Transforming untrusted data into a form that is safe for a specific output context — HTML, JavaScript, URL, SQL, shell — so it cannot break out and execute as code.
How do you defend against Output Encoding?
Defences for Output Encoding typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Output Encoding?
Common alternative names include: Output escaping, Contextual escaping.