Problem Statement
Explain a simple strategy to reduce XSS across a front-end and back-end stack.
Explanation
Encode output based on context. For HTML, attribute, and JavaScript contexts, use the correct encoder. Avoid innerHTML with untrusted data. Prefer textContent or safe templating. On the server, validate and normalize input, but do not rely on filtering alone. Add a Content Security Policy to limit script execution and third-party sources.
Test with both reflected and DOM flows. Review risky sinks like eval, document.write, and innerHTML. OWASP’s XSS cheat sheets give concrete do and don’t rules you can follow.
Code Solution
SolutionRead Only
result.textContent = userInput; // safer than innerHTML Content-Security-Policy: default-src 'self'
