source
Preventing XSS
Various factors should be considered while acting on XSS Attacks, for example:
- Input type in the HTTP request
- Locations of the HTML document where data would be included
Note
- A defense that works in one context (such as an HTML attribute) might not work in another context (such as a JavaScript variable assignment)
- A defense that works with one kind of input (such as input validation and output encoding for a username) will not work with other kinds of input (such as sanitization for untrusted HTML).
We need to use a different output encoding function based on where you are inserting untrusted data into the webpage!