Measures to prevent XSS vulnerability (like Twitter's one a few days before)

Question

Even famous sites like Twitter are suffering from XSS vulnerability, what should we do to prevent this kind of attack?

Answer 1

The #1 Thing you can do is set your cookies to HTTP Only ... which at least protects against session cookie hijacking. Like someone stealing your cookie when you are likely admin of your own site.

The rest comes down to validating all user input.

• RULE #0 - Never Insert Untrusted Data Except in Allowed Locations
• RULE #1 - HTML Escape Before Inserting Untrusted Data into HTML Element Content
• RULE #2 - Attribute Escape Before Inserting Untrusted Data into HTML Common Attributes
• RULE #3 - JavaScript Escape Before Inserting Untrusted Data into HTML JavaScript Data Values
• RULE #4 - CSS Escape Before Inserting Untrusted Data into HTML Style Property Values
• RULE #5 - URL Escape Before Inserting Untrusted Data into HTML URL Attributes

Very lengthy subject discussed in detail here:

http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

http://www.owasp.org/index.php/Cross_site_scripting

XSS is only one of many exploits and every web dev should learn the top 10 OWASP by heart imho

http://www.owasp.org/index.php/Top_10_2007