A companys Web development team has become

aware of a certain type of security vulnerability in their Web software. To mitigate the possibility of this vulnerability being exploited, the team wants to modify the software requirements to disallow users from entering HTML as input into their Web app

lication.

What kind of Web application vulnerability likely exists in their software?

A. Cross-site scripting vulnerability

B. Cross-site Request Forgery vulnerability

C. SQL injection vulnerability

D. Web site defacement vulnerability

Many

operators of particular web applications (e.g. forums and webmail) allow users to utilize a limited subset of HTML markup. When accepting HTML input from users (say, very large), output encoding (such as <b>very</b> large) will not suffi

ce since the user input needs to be rendered as HTML by the browser (so it shows as -very large-, instead of –very large-). Stopping an XSS attack when accepting HTML input from users is much more complex in this situation. Untrusted HTML input must

be run through an HTML sanitization engine to ensure that it does not contain cross-site scripting code.

References: