According to OWASP, which three statements are rules to prevent XSS attacks? (Choose three.)

According to OWASP, which three statements are rules to prevent XSS attacks? (Choose three.)

• Use the HTML tag with JavaScript encoding.
• Use HTTPS only mode for accessing web applications.
• Use HTML escape before inserting untrusted data into HTML element content.
• Use the HTML img tag with a combination of hexadecimal HTML character references.
• Use attribute escape before inserting untrusted data into HTML common attributes.
• Use JavaScript escape before inserting untrusted data into JavaScript data values.

Explanation: According to OWASP, the general rules for preventing XSS attacks include:

- Use an auto-escaping template system.
- Never insert untrusted data except in allowed locations.
- Use HTML escape before inserting untrusted data into HTML element content.
- Use attribute escape before inserting untrusted data into HTML common attributes.
- Use JavaScript escape before inserting untrusted data into JavaScript data values.
- Use CSS escape and strictly validate before inserting untrusted data into HTML-style property values.
- Use URL escape before inserting untrusted data into HTML URL parameter values.
- Sanitize HTML markup with a library such as ESAPI to protect the underlying application.
- Use the HTTPOnly cookie flag.
- Implement content security policy.
- Use the X-XSS-Protection response header.

Exam with this question: 6.13.3 Quiz - Performing Post-Exploitation Techniques Answers