a) server-side rendering

// Don't do this

String queryBox = "<input type='text' value ='" + request.getParameters("search") + "' />";

b) front-end apps

😞 put content straight into DOM without escaping

c) admin / customer-service GUIs

eg. contact form

• form submitted with hostile data

• admin pulls up the record

• executes on admin's browser

eg. log viewers

• put hostile data in log string

• admin uses web log viewer

• executes on admin's browser

solution

• automated scanning tools

pattern: never trust input

scrub it on the way in

and

escape it on the way out

ref: OWASP's Java Encoder Project

ref: XSS Prevention Cheat Sheet

(src:

• Model: OWASP top 10

• Book: release it! - Michael Nygard)