Input sanitization is an important aspect of secure coding to prevent various forms of attacks, such as SQL injection, Cross-Site Scripting (XSS), and command injection. While the specific set of characters to block may vary depending on the context and the technology stack you’re using, here is a general list of special characters and character sequences that you should consider blocking or escaping:
Note: Please note that the list below is not exhaustive, and the characters to block or sanitize may vary depending on the specific programming language, framework, application’s requirement, or context in which you are working.
` ' " ; \ \x00 %00 < > & / \ | $ ( ) { } ! : % ? # @ [ ] * . + ^ \r \n %0A %0D
Vulnerability Name | Special Characters |
SQL Injection | - Single quote (”)
- Double quote (“)
- Semi-colon (;)
- SQL comment markers (– and /* */)
- Union keyword (UNION)
- SQL wildcard characters (% and _)
- Null byte (\x00 or %00)
|
Cross-Site Scripting (XSS) | - Less than (<)
- Greater than (>)
- Ampersand (&)
- Double quote (“)
- Single quote (‘)
- Forward slash (/)
- Backslash (\)
- Backtick (`)
- Equal sign (=)
|
Command Injection | - Semicolon (;)
- Pipe (|)
- Ampersand (&)
- Backticks (`)
- Dollar sign ($)
|
File Inclusion/Path Traversal | - Dot (.)
- Double Dot (..)
- Forward slash (/)
- Backslash (\)
|
LDAP Injection | - Asterisk (*)
- Left parenthesis (()
- Right parenthesis ())
- Null byte (\x00 or %00)
- Ampersand (&)
- Pipe (|)
- Equal sign (=)
|
XML Injection | - Less than sign (<)
- Greater than sign (>)
- Ampersand (&)
- Double quote (“)
- Single quote (‘)
- Forward slash (/)
- Backslash ()
|
Server Side Template | - Curly braces ({, })
- Percent sign (%)
- Double quote (“)
- Single quote (‘)
- Backtick (`)
- Dollar sign ($)
- Hash (#)
- Ampersand (&)
- Pipe (|)
- Semicolon (;)
- Colon (:)
- Exclamation mark (!)
- Parentheses ((), [])
- Angle brackets (<, >)
- Question mark (?)
- Forward slash (/)
- Backslash (\)
- Dot (.)
- Underscore (_)
|
Open URL Redirection | - Forward slash (/)
- Backslash (\)
- Question mark (?)
- Equal sign (=)
- Ampersand (&)
- Percent sign (%)
- Null byte (\x00 or %00)
- Dot (.)
- At symbol (@)
|
Server-Side Request Forgery (SSRF) | - Colon (:)
- Double slash (//)
- Percent sign (%)
- Null byte (\x00 or %00)
- Ampersand (&)
- Forward slash (/)
- Backslash (\)
- At symbol (@)
|
CRLF Injection | - URL-encoded carriage return (%0D)
- URL-encoded line feed (%0A)
|
CSV Injection | - Equals sign (=)
- Double quote (“)
- Single quote (‘)
- At sign (@)
- Pipe (|)
- Opening parenthesis (()
- Closing parenthesis ())
- Forward slash (/)
|
Whitespace and Control Characters | - Various whitespace characters (e.g., space, tab, newline)
- Non-printable control characters (e.g., null byte, vertical tab)
|