Defenses against XSS
In this lesson, we will discuss defenses against cross-site scripting.
We'll cover the following...
HTML encoding as defense
Now that we see how HTML encoding works, we can see how we can use this as a defense against HTML injection and XSS. Whenever we’re building up HTML as part of our response to a web browser, if we ever concatenate in user-controlled data, we need to HTML-encode it first. That way, even if an attacker tries to sneak JavaScript into one of our responses, we’ll encode it first and the browser will just display JavaScript source code to the user instead of executing attacker-controlled JavaScript.
The preferred defense is to use the encoding libraries that come with your web framework. That is, most web frameworks have built-in libraries that ...