Pin Me

Preventing XSS Vulnerabilities: XSS Protection

written by: Miguel Leiva-Gomez•edited by: Michele McDonough•updated: 8/27/2009

XSS vulnerabilities are a potential nightmare. Your website or users can be compromised if you contain a website that has holes in it, and XSS is one of the most common vulnerabilities on the web. Learn how to prevent such vulnerabilities and make your website safe for your users.

  • slide 1 of 4

    What is XSS Anyway?

    Although many websites are vulnerable to XSS, many people who run these sites are not even aware of what it is. XSS is also known as cross-site scripting. A website that is vulnerable to XSS is one in which any HTML can be placed inside of a query (typically when a browser does an HTTP GET request). This can be used by a malicious hacker to link users to a page in which the query contains some HTML implementing a means to get information they want from any user that clicks on that link. A rough estimate puts about 70% of all websites on the Internet at risk for this kind of exploit.

  • slide 2 of 4

    How do I know if I have an XSS Hole in My Website?

    The easiest way to detect an XSS vulnerability is by sending a piece of JavaScript or HTML code through any query on your site. For example, if your website URL for a search query is "", then you can put after it the following string: %3Cscript%3Ealert%28%91There%20is%20an%20XSS%20Vulnerability%20Present%92%29%3C%2Fscript%3E. This is the most effective means of finding XSS holes without knowing too much about how they can be used to compromise your site's visitors. The string simply adds an alert call in JavaScript that will pop up a little alert telling you "There is an XSS Vulnerability Present". You will, of course, need to have JavaScript enabled to process this correctly.

  • slide 3 of 4

    What do I do About XSS Vulnerabilities?

    If you want to prevent XSS vulnerabilities, you need to parse input in a manner that will not allow any browser-side scripting (HTML, JavaScript, or CSS) in your queries. The best thing to do is make a function that will parse queries and escape them properly. You should escape all JavaScript, CSS, and HTML so that no queries can be made with such code in them. This is the simplest and surefire method of dealing with XSS holes on your site. When you are writing with ASP.NET, you usually do not have much to worry about, since it validates requests to prevent malicious scripts before proceeding with the results that come in accordance to the query.

  • slide 4 of 4

    More Rules of Thumb to Consider

    Escaping HTML using entity escaping is right in the ball park of what you should be doing to prevent nasty XSS problems. Here are the best ways to escape your HTML (For best results, seek these out in queries in the order that they are listed):

    • & = & (Always seek these out first, as you might accidentally replace the beginning of an escape with another escape, and so forth, if you do not seek this first)
    • < = &lt;
    • > = &gt;
    • " = &quot;
    • ' = &#x27;
    • / = &#x2F;

    If you follow through with what was suggested, you will probably never have a complaint about XSS vulnerabilities in your website, and you can rest assured that your visitors will be safe.