|
|
|
|
|
|
by codingthewheel
5630 days ago
|
|
|
Sanitize everything, use multiple redundant sanitizer libraries (there are several out there that handle different things), and use a whitelist, rather than a blacklist, based approach. If you want to allow the use of <a> tags, enforce that they adhere to the exact format of a safe <a> tag, otherwise encode or strip them. One look at the XSS cheatsheet page should be enough to convince any sane developer of the futility of a blacklist-based approach. |
|
|