조치사항
[패턴문자]
' img src
" onload
< onclick
> onfocus
& onmouse
/ onblur
javascript onchange
vbscript onscroll
object onsubmit
embed onunload
iframe onerror
applet layer
alert bgsound
frame grameset

- 패턴 문자 필터링

JSP XSS 시큐어 코딩

page.jsp 파일중에서

response.addHeader("X-XSS-Protection", "1; mode=block");

String param = request.getParameter('field');

param = param.replaceAll("%","&amp;");
param = param.replaceAll("<","&lt;");
param = param.replaceAll(">","&gt;");
param = param.replaceAll("\"","&quot;");
param = param.replaceAll("'","&#x27");
param = param.replaceAll("\/","&#x2F");

OR

String[] PreventChars = {"'","\""...} //위 표에 있는 데이터 나열함¨.

for (int i=0; i< PreventChars.length; i++) {
if(param.indexOf(PreventChars[i]) != -1){
System.out.println("금지된 키워드 사용입니다.");
return false;
}
}


PHP XSS 시큐어 코딩


page.php 파일중에서

header("X-XSS-Protection", "1");

$param = $_POST['field'] or $_GET['field'];

$param = str_replace("%","&amp;",$param);
$param = str_replace("<","&lt;",$param);
$param = str_replace(">","&gt;",$param);
$param = str_replace("\"","&quot;",$param);
$param = str_replace("'","&#x27",$param);
$param = str_replace("\/","&#x2F",$param);


ASP.NET (C#) 시큐어 코딩(MSDN 참조)


page.aspx 파일중에서

<%@ Page Language="C#" ValidateRequest="false"%>

<script runat="server">

  void submitBtn_Click(object sender, EventArgs e)
  {
    // Encode the string input
    StringBuilder sb = new StringBuilder(
                            HttpUtility.HtmlEncode(htmlInputTxt.Text));
    // Selectively allow  <b> and <i>
    sb.Replace("&lt;b&gt;", "<b>");
    sb.Replace("&lt;/b&gt;", "");
    sb.Replace("&lt;i&gt;", "<i>");
    sb.Replace("&lt;/i&gt;", "");
    Response.Write(sb.ToString());
  }
</script>

<html>
  <body>
    <form id="form1" runat="server">
      <div>
        <asp:TextBox ID="htmlInputTxt" Runat="server"
                     TextMode="MultiLine" Width="318px"
                     Height="168px"></asp:TextBox>
        <asp:Button ID="submitBtn" Runat="server"
                     Text="Submit" OnClick="submitBtn_Click" />
      </div>
    </form>
  </body>
</html>