A company’s Web development team has become aware of a certain type of security vulnerability in their Web
software. To mitigate the possibility of this vulnerability being exploited, the team wants to modify the software
requirements to disallow users from entering HTML as input into their Web application.
What kind of Web application vulnerability likely exists in their software?
A.
Cross-site scripting vulnerability
B.
Cross-site Request Forgery vulnerability
C.
SQL injection vulnerability
D.
Web site defacement vulnerability
Explanation:
Many operators of particular web applications (e.g. forums and webmail) allow users to utilize a limited subset
of HTML markup. When accepting HTML input from users (say, <b>very</b> large), output encoding (such as
<b>very</b> large) will not suffice since the user input needs to be rendered as HTML by the browser
(so it shows as “very large”, instead of “<b>very</b> large”). Stopping an XSS attack when accepting HTML
input from users is much more complex in this situation. Untrusted HTML input must be run through an HTML
sanitization engine to ensure that it does not contain cross-site scripting code.References: https://en.wikipedia.org/wiki/Cross-site_scripting#Safely_validating_untrusted_HTML_input