Problem solve Get help with specific problems with your technologies, process and projects.

To prevent cross-site scripting, should specific words and characters be rejected?

In this expert Q&A, John Strand explains which application development best practices can stop cross-site scripting attacks.

I'm interested in preventing cross-site scripting (XSS) attacks. If we reject characters and words like <, >, script, -- and their equivalent entity values, etc., that can cause malicious attacks -- it increases the cost of application development. Would you recommend this course of action?
No. Instead, I recommend that developers code their applications to only allow the required set of characters necessary for the application to function properly. That is an application development best practice.

Many organizations view secure coding as an activity that is supposed to happen at the end of the development process. However, if someone testing an application at the end of the development lifecycle says an application needs recoding to ensure its security, that application will need to be reworked and retested, along with any other application that interacts with it. This constant tweaking is often far more expensive than implementing an iterative security process throughout an application development lifecycle.

If there is a field called "State," for example, there is no reason to allow <, > ;, *, --, or : as possible values. If application developers write code from the perspective of only accepting known good values, it decreases the overall cost of application development by cutting quality assurance and certification and accreditation testing.

For more help, a great framework to use is the Scalable & Agile Lifecycle Security for Applications.

More information:

  • Video: Security researchers at Information Security Decisions 2008 recently discussed how to keep enterprises safe from cross-site scripting and buffer overflows.
  • This was last published in January 2009

    Dig Deeper on Web application and API security best practices

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.