HTML Encoding
HTML encoding can help us defend against XSS attacks. Let's see how.
We'll cover the following...
We'll cover the following...
Now let’s consider how we can defend against this. A frequently suggested defense that doesn’t work is to strip out < and > characters. One problem with this defense is that sometimes people need to discuss dangerous inputs. Readers of this course, for example, may want to discuss XSS payloads on a web-based forum. Attempts to strip out < and > would stop these conversations. Also, we’ll see that not every XSS attack needs < or >.
HTML encoding
Before we look at its application for defense, let’s take a look at how HTML encoding works. In the previous paragraph, we touched on an interesting problem in HTML. We use < and > to ...