- slide 1 of 4
What is XSS Anyway?
Although many websites are vulnerable to XSS, many people who run these sites are not even aware of what it is. XSS is also known as cross-site scripting. A website that is vulnerable to XSS is one in which any HTML can be placed inside of a query (typically when a browser does an HTTP GET request). This can be used by a malicious hacker to link users to a page in which the query contains some HTML implementing a means to get information they want from any user that clicks on that link. A rough estimate puts about 70% of all websites on the Internet at risk for this kind of exploit.
- slide 2 of 4
How do I know if I have an XSS Hole in My Website?
- slide 3 of 4
What do I do About XSS Vulnerabilities?
- slide 4 of 4
More Rules of Thumb to Consider
Escaping HTML using entity escaping is right in the ball park of what you should be doing to prevent nasty XSS problems. Here are the best ways to escape your HTML (For best results, seek these out in queries in the order that they are listed):
- & = & (Always seek these out first, as you might accidentally replace the beginning of an escape with another escape, and so forth, if you do not seek this first)
- < = <
- > = >
- " = "
- ' = '
- / = /
If you follow through with what was suggested, you will probably never have a complaint about XSS vulnerabilities in your website, and you can rest assured that your visitors will be safe.