Apr 24, 2009, 4:29 AM
[CLOSED] Tips on preventing Cross Site Scripting (XSS)
Is there anything built in to the Coolite framework that can help prevent Cross Site Scripting (XSS) attacks?
i.e. At the moment, if I add a record to my system, and type the following in to a text box:
"<script>alert()</script>"
And save the record, and reload the screen that displays the record in a GridPanel, the whole screen doesn't render.
Also if "<p>Test</p>" is typed in, when rendered to a GridPanel it displays "Test" (i.e. the "<p></p>" part is rendered as HTML.
What would be your recommendation to prevent this from occurring - either encode the HTML upon saving, or when displaying data?
Any hints/tips from previous experiences would be useful.