Introduction

Cross-site scripting (XSS) is a complex problem that is not going to go away anytime soon. Unlike most security-related issues, there is no quick fix that is acceptable for the majority. The problem is two-fold. First, the browser is not secure by design. It was created to make requests and process the results. This includes the ability to understand JavaScript, which is a standard programming language that Web developers can use to perform all sorts of functions, both good and bad. The browser doesn't decide if a piece of code is doing something malicious. Cookie data is often called by valid programs. Accessing clipboard data is an approved feature of Internet Explorer (IE) 6.0. It isn't the browser's job to determine what code is good and what is bad.

The second problem, which compounds the issue, is that Web developers are not creating secure sites. As a result, attackers are able to exploit their vulnerable scripts and inject code into the user's browser. So now the user is stuck between two impossible situations. They either have to disable all scripting ability, which will seriously dampen their Web browsing experience, or only visit Web sites they trust and know are secure.

In this section, we look at both sides of the equation. First, we examine the difficulties in setting up a solid foolproof filtering engine. As you will see, filtering is not a simple concept, and if not done exactly right it will fail. In fact, each and every person...