Content Security Policy halts XSS in its tracks

Cross-site scripting (XSS) is one of the biggest problems faced by webmasters. Even banks and payment service providers like PayPal appear unable to prevent XSS from being used to inject external code. The new Content Security Policy standard should finally relieve the problem.

Content Security Policy halts XSS in its tracks

Modern web applications accept all sorts of user input. An obvious example is a search function for searching through goods available in an online store. Servers frequently return the input value as part of the search results: "Your search for search termreturned 7 hits". If a web developer has failed to exercise sufficient care, cyber-criminals can exploit this to inject code into a web page, with a search term such as<script>alert("Pwned!")</script> being interpreted by the browser as JavaScript and executed in the context of the web site on which it is displayed. It therefore follows that unforeseen user input needs to be filtered.

Content Security Policy halts XSS in its tracks | The H Security