Preventing Reflected and Stored XSS

The root cause of both reflected and stored XSS is that user-controllable data is

copied into application responses without adequate validation and sanitiza-

tion. Because the data is being inserted into the raw source code of an HTML

page, malicious data can interfere with that page, modifying not only its con-

tent but also its structure — breaking out of quoted strings, opening and clos-

ing tags, injecting scripts, and so on. 

To eliminate reflected and stored XSS vulnerabilities, the first step is to 

identify every instance within the application where user-controllable data is

being copied into responses. This includes data that is copied from the imme-

diate request and also any stored data that originated from any user at any

prior time, including via out-of-band channels. To ensure that every instance 

is identified, there is no real substitute for a close review of all application

source code.