OWASP Periodic Table of Vulnerabilities - Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)
Root Cause Summary
Cross-Site Scripting (aka XSS or CSS) is an injection attack that is possible when an application accepts untrusted data and includes it in the context of an HTML page. Specially-formatted attacks take on functional meaning, allowing data to be executed with the same privileges as the containing web site.
Browser / Standards Solution
Generic Framework Solution
Automatically sanitize any dynamic content before writing it into HTML, XML, or other documents that might be rendered by user agents that execute active content. If dynamic content must include dangerous elements, provide APIs which filter and sanitize potentially dangerous attributes of these elements. Exceptions and attribute configurations should be described by a policy file instead of hard-coded into the framework itself or into function calls. Legal attributes and elements should be whitelisted (as opposed to blacklisted) in order to prevent future browser features or HTML extensions from exposing new security holes.
Custom Framework Solution
Custom Code Solution
Discussion / Controversy
The generic framework solution isn't fully generalizable to enable certain classes of applications, especially content management systems (CMSes) and inlined 3rd-party scripts. Thus, changes to standards and new browser features are necessary to fully address all functional use cases.
Until standards changes are implemented, performance tradeoffs between encoding at the time of each page load and encoding data in the model/database may require tighter coupling between application frameworks and database solutions for applications which generate HTML pages dynamically (as opposed to "Web 2.0" applications which serve a static view and load dynamic content via XHR, rendering dynamic views client-side).