-
Book Overview & Buying
-
Table Of Contents
Django Design Patterns and Best Practices
By :
Cross-site scripting (XSS), considered the most prevalent web application security flaw today, enables an attacker to execute his malicious scripts (usually JavaScript) on web pages viewed by users. Typically, the server is tricked into serving their malicious content along with the trusted content.
How does a malicious piece of code reach the server? The common means of entering external data into a website are as follows:
None of these can be entirely avoided. The real problem is when outside data gets used without being validated or sanitized (as shown in the following screenshot). Never trust outside data:

For example, let's take a look at a piece of vulnerable code, and how an XSS attack can be performed on it. It is strongly advised not to use this code in any form:
class XSSDemoView(View):
def get(self, request):
# WARNING: This code is insecure and prone to XSS attacks
...
Change the font size
Change margin width
Change background colour