Preventing cross-site scripting attacks

Cross-site scripting (XSS) is a means of running code from one computer on another computer. It is sometimes used maliciously, either to obtain information from another computer or to change a computer's settings. A simple example is an email message that contains a link or image. A malicious user can include HTML code or Javascript in the body of the message that invites you to click on the link or image to obtain further information or to take part in a survey. The link or object looks innocent, but secretly attacks your system, perhaps by copying the user name and password that you enter to start the survey.

All UNICOM Intelligence Interviewer - Server Admin and UNICOM Intelligence Interviewer - Server Admin activities have been enhanced to prevent them being used for cross-site scripting. If you write your own activities to use with UNICOM Intelligence Interviewer - Server Admin, you should implement similar policies to ensure that your installation remains secure.

The two most important rules for preventing cross-site scripting are:

▪Restrict input. Whenever possible, impose restrictions on what users can enter. For example, rather than accepting any characters, decide which characters you would expect to see in the field and reject the user's input if it contains any other characters.

▪Encode output. If you are sending information to the user's browser, check it to ensure that it contains only valid characters. A typical example is to filter out HTML tags from text (or at least to convert < and > characters to < and >) before passing it to the user.

For an overview of how cross-site scripting works, and some links to other sites giving more detailed information, see:

“How To: Prevent Cross-Site Scripting in ASP.NET”:

A paper explaining how HTML code injection and cross-site scripting can be achieved and how you can prevent this in your applications: