Link to home
Start Free TrialLog in
Avatar of Manish
ManishFlag for India

asked on

cross site scripting.

What is best way to prevent cross site scripting?
If user enters encoded value like for %3c for <, how to track this?
plz provide examples.
Avatar of humanonomics
humanonomics
Flag of India image

Where will the user enter the data ? What kind of application do you have ?
Normally for a Web application, the general approaches to prevent cross-site scripting attacks
- Filter input parameters for special characters.
- Filter output based on input parameters for some special characters
Avatar of Manish

ASKER

It is web appplication.
jsp- We have our framework-.
We can write/add filter in it.
do anybody have example for it?
ASKER CERTIFIED SOLUTION
Avatar of ksivananth
ksivananth
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Manish

ASKER

I have following value in text field. still script is getting executed and showing alert.
<input id="headline" type="text" name="headline"  value="<script>alert&#40;&quot;hi&quot;&#41;</script>" />
Avatar of Manish

ASKER

like this
<input id="headline" type="text" name="headline"  value="&lt;script&gt;alert&#40;&quot;hi&quot;&#41;&lt;/script&gt;" />

Open in new window

Avatar of Manish

ASKER

why so?
you should remove the script tags from the user input, refer the link I have posted!