CWE-86: Improper Neutralization of Invalid Characters in Identifiers in Web Pages

VariantDraft

The product does not neutralize or incorrectly neutralizes invalid characters or byte sequences in the middle of tag names, URI schemes, and other identifiers.

View on MITRE
Back to CWE Lookup

Extended Description

Some web browsers may remove these sequences, resulting in output that may have unintended control implications. For example, the product may attempt to remove a "javascript:" URI scheme, but a "java%00script:" URI may bypass this check and still be rendered as active javascript by some browsers, allowing XSS or other attacks.

Technical Details

Structure
Simple

Applicable To

Languages
Not Language-Specific
Platforms

Frequently Asked Questions

What is CWE-86: Improper Neutralization of Invalid Characters in Identifiers in Web Pages?+

CWE-86: Improper Neutralization of Invalid Characters in Identifiers in Web Pages is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product does not neutralize or incorrectly neutralizes invalid characters or byte sequences in the middle of tag names, URI schemes, and other identifiers. Some web browsers may remove these sequences, resulting in output that may have unintended control implications. For example, the product may attempt to remove a "javascript:" URI scheme, but a "java%00script:" URI may bypass this check and still be rendered as active javascript by some browsers, allowing XSS or other attacks.

What are the security consequences of Improper Neutralization of Invalid Characters in Identifiers in Web Pages?+

If exploited, CWE-86 (Improper Neutralization of Invalid Characters in Identifiers in Web Pages) it can compromise Confidentiality, Integrity and Availability, leading to outcomes such as Read Application Data and Execute Unauthorized Code or Commands.

Which programming languages are affected by Improper Neutralization of Invalid Characters in Identifiers in Web Pages?+

CWE-86 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What are real-world examples of Improper Neutralization of Invalid Characters in Identifiers in Web Pages?+

MITRE documents real CVEs mapped to CWE-86, including CVE-2004-0595. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-86 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More