Cross-Site Scripting is an attack that can occur when a user injects client-side script into a page in an attempt to gather information or infect the computers of other users. Specific things that can occur as a result of an XSS attack are the forcible download of viruses and bots, theft of cookies containing identifying information and/or login credentials of a user, or the ability to modify the content of a site.
XSS attacks usually occur when a user is allowed to submit HTML content to a site as part of a form submission.
Assume that we wanted to let users submit formatted HTML to our app in the GrainBill
and Instruction
fields of our recipe creation and editing views. Without careful implementation on our part, it would be possible for users to submit HTML content with embedded script that could be used to hijack a user's session.
Even if we only let trusted users submit HTML content, we would still be exposing ourselves because there's nothing preventing our...