|
|
|
|
REMEDIATION
The simplest and the most effective approach towards addressing this issue is to filter all
html tags from user inputs. However, if accepting and processing html tags is necessary, it is
recommended to put the following additional filters.
Restricting position and size of an image
If users need to be allowed to post images, the position for the user submitted image must be
predefined in DOM tree.
Restricting user to set style attributes
Never let the user set any attributes (like "style"). This type of manipulation can be made harder
by using the "container inside a container" approach with CSS.
Input and output filters
In order to defend a web application against XSIO, one just needs better filters in place. If all the
input characters are not filtered, a developer can do simple html references. Developer should
take extreme care while handling anything that has been inputted by a user, properly validating and
sanitizing the user- inputted data. |
|
|
|
|
|
|
