🎩Cross site script (XSS)
This is the way that hacker can pass the script like Javascript into our system or database.
Example
We have a database that store comments in plain text without validation input
Hacker send the script as a text for input then we store it in DB
After client open the website to view the comment then the script will be run.
How to Protect
Input validation to protect script
Encode data before render html -> Modern framework already handle it such as React it will escapes special characters by default.
Add header
Content Security Policy(CSP)-> to determine with kind of JS script can run
Last updated