Submitted by Anonymous (not verified) on
Section
4.4.1
Top Level
Input Validation and Encoding
Sub Level
4.4 XSS Defenses
General
Input from untrusted sources should be encoded before it is sent to backend systems or back to the user's browser, as this will neutralize any client-side "code" that might have been surreptitiously inserted within the data. HTML Entity Encoding is generally not interpreted and therefore cannot be used to transmit an attack.
Coldfusion

Use the functions urlEncode and urlDecode.

Enable Global Script Protection. This is a security feature that was added in ColdFusion MX 7. It helps protect Form, URL, CGI, and Cookie scope variables from cross-site scripting attacks.

Django

Input is stored as the user entered it, but is HTML entity encoded using the auto-escaping feature of Django's templating system.

Java
JSP 2.0 introduced a new capability allowing one to use JSP Expressions directly within a Web page template. Improper use of these expressions will leave an application open to XSS Attacks.
Natural Webagent

There's currently no centralized script for encoding input. We recommend scrubbing inputs and auditing for both format and content. For output encoding, see section 4.4.2. For more information on XSS attacks, see this OWASP article.

.NET

The Server.HtmlEncode() method can be used to convert HTML characters to a string representation a browser will not execute.

PHP

Use htmlentities() to escape output to the browser.

It should be used with the optional 'ENT_QUOTES' and character-set arguments. Remember to escape only filtered data.