nerdexam
(ISC)2

CISSP · Question #953

Which of the following methods is MOST effective in mitigating Cross-Site Scripting (XSS) vulnerabilities within HyperText Markup Language (HTML) websites?

The correct answer is D. Not returning any HTML tags to the browser client. The most effective method for mitigating Cross-Site Scripting (XSS) vulnerabilities is to prevent the browser from interpreting user-supplied input as executable HTML tags.

Submitted by saadiq_pk· Mar 5, 2026Software Development Security

Question

Which of the following methods is MOST effective in mitigating Cross-Site Scripting (XSS) vulnerabilities within HyperText Markup Language (HTML) websites?

Options

  • AUse antivirus and endpoint protection on the server to secure the web-based application
  • BPlace the web-based system in a defined Demilitarized Zone (DMZ)
  • CUse .NET framework with .aspx extension to provide a higher level of security to the web
  • DNot returning any HTML tags to the browser client

How the community answered

(58 responses)
  • A
    3% (2)
  • B
    9% (5)
  • C
    7% (4)
  • D
    81% (47)

Why each option

The most effective method for mitigating Cross-Site Scripting (XSS) vulnerabilities is to prevent the browser from interpreting user-supplied input as executable HTML tags.

AUse antivirus and endpoint protection on the server to secure the web-based application

Antivirus and endpoint protection primarily secure the server infrastructure from malware but do not prevent client-side script injection into the web application's output, which is the core mechanism of XSS.

BPlace the web-based system in a defined Demilitarized Zone (DMZ)

Placing a web system in a DMZ provides network-level isolation and security but does not address application-layer vulnerabilities like XSS, which stem from improper handling of user input within the web application itself.

CUse .NET framework with .aspx extension to provide a higher level of security to the web

While frameworks like .NET offer security features, merely using them does not automatically mitigate XSS; proper implementation of output encoding/escaping within the application code is still required to prevent such vulnerabilities.

DNot returning any HTML tags to the browser clientCorrect

By ensuring that all user-supplied data is properly HTML-encoded or escaped before being displayed, any injected HTML tags, such as <script>, are rendered as literal text instead of executable code. This prevents the browser from executing malicious client-side scripts, effectively neutralizing XSS attacks.

Concept tested: Preventing XSS through output encoding/escaping

Source: https://owasp.org/www-community/attacks/xss/

Topics

#XSS mitigation#secure coding#input sanitization#web application security

Community Discussion

No community discussion yet for this question.

Full CISSP Practice