A few things I didn't emphasize enough in the previous entry:
- Use your framework's built-in mechanisms for proper output escaping where possible (<c:out />
, h(), htmlentities(), Server.HTMLEncode(), etc.)
- Do this output filtering for all dynamic output, regardless of where it came from.
- To the degree possible, use a level of indirection first - particularly with URL's that you feed into an exit page.
- This is obviously only good for you if you don't intend for users to be able to put in their own HTML. If users need to be able to put in their own HTML, consider using a Wiki markup instead of HTML.