Two Laptop Bag
The moose likes HTML, CSS and JavaScript and the fly likes How to avoid XSS (Cross Site Scripting)? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » HTML, CSS and JavaScript
Bookmark "How to avoid XSS (Cross Site Scripting)?" Watch "How to avoid XSS (Cross Site Scripting)?" New topic

How to avoid XSS (Cross Site Scripting)?

Gurumurthy Ramamurthy
Ranch Hand

Joined: Feb 13, 2003
Posts: 273

I know that XSS happens because of malicious data/script injected into a webpage before sending to the client and it appears as if it came from the original site. It does lot of damages to the user like password theft, credit card sniff etc.

Can you tell me how to avoid this:

1. During development?
2. During run-time by the user/client?

Yuriy Fuksenko
Ranch Hand

Joined: Feb 02, 2001
Posts: 413
If you want to try use XSS, cookie stealing and other web hacking things (and it really helps to understand how to prevent it), go to , register and go through "realistics mission" chalenges. there are fun, and educational
Eric Pascarello

Joined: Nov 08, 2001
Posts: 15385
Well the only way that code can get injected into a page that affects other users is if you let it happen. You need to strip out script tags, and escape user input if it is being displayed for everyone to view.

I agree. Here's the link:
subject: How to avoid XSS (Cross Site Scripting)?
jQuery in Action, 3rd edition