First page Back Continue Last page Overview Graphics
The main defense is to filter all user input before sending it back to the browser
In particular, it is recommended that these characters: < > ( ) & # be filtered
- < > ( ) & # are substitutes
- Usually the language has a function to call to do that for you: htmlentities(), cgi.escape(), etc.