Is not displaying output enough to prevent link injection cross-site scripting?
https://stackoverflow.com//questions/11694650
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I'm new to dealing with cross-site scripting problems. We have some 404 pages that output the not found URL where, from what I learned, javascript can be maliciously substituted. To prevent an XSS attack, is it enough to simply remove the outputting of the bad URL? Or do I still need to somehow filter the input against a whitelist, for which I was looking at the OWASP library: https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
Solution
any input from user is potentially dangerous. you receive it - it can take your whole memory :) you display it - you can be hurt by cross site scripting. you tries to interpret it anyhow - you have sql/ldap/js/xxx injection. and there are probably a few more attacks that i'm not even aware of. so if you don't display it then yes, you are secure against xss. however you still should be careful with user's data. OWASP advices are good - whitelist filtering is easiest way to get higher level of security
