For a few years now, a security vulnerability called "cross-site scripting" has been receiving widespread attention. This problem is particularly insidious because it arises from a simple and very common oversight. Tens of thousands of server-side programs have this problem, and no programming language or development tool is exempt.. . .
For a few years now, a security vulnerability called "cross-site scripting" has been receiving widespread attention. This problem is particularly insidious because it arises from a simple and very common oversight. Tens of thousands of server-side programs have this problem, and no programming language or development tool is exempt.

In this article, I'll explain exactly what this problem is and give some general guidelines for server-side development that can help reduce the likelihood that you'll commit this particular problem.

The key to this type of attack is the ability of the attacker to insert their own HTML markup into pages on your site. The mistake to avoid is including any text into an outgoing page unless that text has been thoroughly scrutinized. The above example uses e-mail received from a third party, but the text could just as easily come from the user themselves.

For example, if someone comes to your site by following a link from another site, then the URL might contain query parameters that get included directly into your pages. For example, search forms often include the search text verbatim into the results page. HTML markup within the search text can be used to modify the page in malicious ways. (The name "cross-site scripting" came from this technique of building malicious links from one site to another.)