This cheat sheet helps developers prevent XSS vulnerabilities.

The very first OWASP Cheat Sheet, Cross Site Scripting Prevention, was inspired by RSnake's work and we thank RSnake for the inspiration! This cheat sheet demonstrates that input filtering is an incomplete defense for XSS by supplying testers with a series of XSS attacks that can bypass certain ...

November 13, 2025 - What is missing or needs to be updated? Trusted types seem to be a modern way/approach to finally getting rid of such XSS vulnerabilities and preventing them. It#s not mentioned (yet) at all, in th...

The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics.

March 22, 2009 - [OWASP CSRF] - Correct implementation of a "User interaction based CSRF defense" approach? r/webdev • · comments · Cross-site scripting (XSS) cheat sheet · r/xss • · upvotes · · comment · A Hitchhiker’s Guide to Cross-Site Scripting (XSS) in PHP (Part 1): How Not To Use Htmlspecialchars() For Output Escaping | Pádraic Brady ·

This cheatsheet addresses DOM (Document Object Model) based XSS and is an extension (and assumes comprehension) of the XSS Prevention Cheatsheet.

Interactive cross-site scripting (XSS) cheat sheet for 2026, brought to you by PortSwigger. Actively maintained, and regularly updated with new vectors.

The Content-Type representation header is used to indicate the original media type of the resource (before any content encoding is applied for sending). If not set correctly, the resource (e.g. an image) may be interpreted as HTML, making XSS vulnerabilities possible.

The primary defenses against XSS are described in the OWASP XSS Prevention Cheat Sheet.

1. https://owasp.org/www-community/attacks/xss/ 2. https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP · 3. https://owasp.org/www-project-cheat-sheets/cheatsheets/Input_Validation_Cheat_Sheet · 4. https://wiki.owasp.org/index.php/Testing_for_DOM-based_Cross_site_scripting_(OTG-CLIENT-001) 5.

January 23, 2009 - The Open Web Application Security Project (OWASP) has recently released a XSS (Cross Site Scripting) Prevention Cheat Sheet. This cheat sheet helps developers identify how and when to output encode or escape untrusted user data when including it within a page.

xss-owasp-cheatsheet · Raw · xss-owasp-cheatsheet · This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below.

Laravel also offers displaying unescaped data using the unescaped syntax {!! !!}. This must not be used on any untrusted data, otherwise your application will be subject to an XSS attack.

See the OWASP XSS Prevention Cheat Sheet for detailed guidance on how to prevent XSS flaws.

Both reflected and stored XSS can be addressed by performing the appropriate validation and escaping on the server-side. DOM Based XSS can be addressed with a special subset of rules described in the DOM based XSS Prevention Cheat Sheet.

September 4, 2020 - IE also has the ondeactivate and onbeforedeactivate events, in order to automatically execute these events you need to modify the hash twice as autofocus won't work in IE when the first element is focused.<a ondeactivate=alert(1) id=x tabindex=1></a><input id=y autofocus> <xss ondeactivate=alert(1) id=x tabindex=1></xss><input id=y autofocus> <a onbeforedeactivate=alert(1) id=x tabindex=1></a><input id=y autofocus> someurl.php#x someurl.php#y · Finally here is a Chrome specific vector that works inside SVG:<svg><discard onbegin=alert(1)> There are many more vectors in the cheatsheet; I just chose the most interesting for the blog post.

We’re big fans of the OWASP Cheat Sheet Series, one of the flagship OWASP projects. The series includes detailed information on all kinds of security issues and is an outstanding reference and educational tool. We developed these cheat sheets to check for code patterns of potential XSS (cross ...

We can generally succeed in preventing XSS attacks by removing potentially dangerous keywords or potentially dangerous characters such as:

Open CRE - Open Cybersecurity Requirement Expression: Link security requirements across standards and frameworks.

April 22, 2013 - OWASP's XSS cheat sheet is a good read, as well as the other cheat sheets and articles.