312-50V11 · Question #712
Which of the following is one of the most effective ways to prevent Cross-site Scripting (XSS) flaws in software applications?
The correct answer is C. Validate and escape all information sent to a server.. Validating and escaping all user-supplied input before it is rendered or processed by the server is the most effective technical control against XSS attacks.
Question
Which of the following is one of the most effective ways to prevent Cross-site Scripting (XSS) flaws in software applications?
Options
- AUse security policies and procedures to define and implement proper security settings.
- BUse digital certificates to authenticate a server prior to sending data.
- CValidate and escape all information sent to a server.
- DVerify acces right before allowing access to protected information and UI controls.
How the community answered
(26 responses)- B4% (1)
- C92% (24)
- D4% (1)
Why each option
Validating and escaping all user-supplied input before it is rendered or processed by the server is the most effective technical control against XSS attacks.
Security policies and procedures are administrative controls that define intent but do not technically prevent script injection in application code.
Digital certificates authenticate the identity of a server using TLS/PKI but have no effect on whether the application sanitizes user input.
XSS attacks succeed when untrusted data is included in a web page without proper validation or output encoding, allowing browsers to execute injected scripts. Input validation rejects malformed or malicious data before processing, while output escaping (HTML entity encoding) ensures that special characters like < > and & are rendered as text rather than interpreted as HTML or JavaScript. Together, these two controls directly neutralize the mechanism by which XSS payloads are injected and executed.
Verifying access rights before displaying UI controls is an authorization control that prevents privilege escalation, not script injection.
Concept tested: XSS prevention through input validation and output escaping
Source: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
Topics
Community Discussion
No community discussion yet for this question.