"Escaping" refers to the process in markup languages, programming languages, or script languages of converting characters or symbols that have special meanings into alternative strings that can be safely processed.
For instance, in HTML, the characters < and > are reserved for describing tags. If these characters appear directly in HTML, a web browser interprets them as markup rather than plain text. Thus, to display these symbols as plain text, they must be written as escape sequences, such as < for < and > for >. When a browser encounters these escape sequences, it visually renders them as the original characters (< and >). This conversion process is what we call "escaping."
Escaping is especially important in the context of web security. It is an essential aspect of "sanitization," a practice aimed at safely handling user input provided through web forms.
For example, imagine a web application that takes user input from a form and displays it directly on a subsequent page. Suppose a user submits the input:
<script>alert("Hello!");</script>
If the web application directly includes this string into the resulting page without escaping, the browser interprets and executes it as JavaScript code. Consequently, a popup alert box displaying "Hello!" would appear, which wasn't intended by the website's creator or administrator. Although this simple script might not cause significant harm, the ability for a third-party user to arbitrarily embed scripts into web pages is a serious problem, potentially exposing the site to Cross-Site Scripting (XSS) attacks and other security threats.
To prevent this, the web application should correctly escape special characters before presenting such data. By replacing < and > with their corresponding escape sequences (< and >), the malicious script would render harmlessly as the string:
<script>alert("Hello!");</script>
In this form, the browser treats it strictly as text, thereby neutralizing any scripts and displaying them as intended, without triggering unintended behavior.
Most modern web application development languages and frameworks have built-in functions for escaping strings appropriately. However, verifying that every input is correctly escaped in complex web applications, and identifying and correcting problematic elements, can require considerable time and effort. A highly effective solution for this issue is using a Web Application Firewall (WAF), which ensures that user-submitted inputs are escaped prior to reaching the web application.
F5 offers WAF functionality with F5 BIG-IP solution.