Fixing Cross-site Scripting (XSS)
Published: 25 October 2020
This issue comes about where user supplied input is included within server responses without filtration or encoding.
One very effective method of preventing this attack is to use an allow-list (sometimes called a whitelist) which will allow only known good content. For example if your expected input is an integer and the user supplies anything other than an integer you can simply reject that input – and perhaps supply a message to inform the user what the issue is, without including the original payload.
The opposite approach to this would be to use a blocklist (sometimes called a blacklist) which attempts to block known-bad content, which requires a complete list of all possible bad inputs and is therefore commonly ineffective, as it opens up the possibility for filter evasion.