We began this chapter on how to keep your users’ data safe from cross-site scripting exploits by describing exactly what XSS
is and how it works. We listed the various kinds of scripting that might be involved, categorized the two varieties of such
scripting, and discussed each of a long list of possible XSS techniques.
We then turned to techniques for preventing XSS. After a discussion of why SSL connections do nothing to help this effort,
we described various strategies for handling user input:
| •
|
Encoding HTML entities (in input not expected to have HTML content) |
| •
|
Sanitizing URIs |
| •
|
Filtering for known XSS exploit attempts |
| •
|
Isolating sensitive activity in private APIs |
| •
|
Predicting users’ next actions |
We then provided a suggestion for testing protection schemes.
In Chapter 14, we will discuss the last in our series of special cases of sanitizing user input, preventing remote execution.