Various factors should be considered while acting on XSS Attacks, for example:
- Input type in the HTTP request
- Locations of the HTML document where data would be included
- A defense that works with one kind of input (such as input validation and output encoding for a username) will not work with other kinds of input (such as sanitization for untrusted HTML).
We need to use a different output encoding function based on where you are inserting untrusted data into the webpage!