> Whenever anything is sent to the server from the browser, we need proper validation. Input should be properly sanitized before being sent to the server.
That doesn't sound right. If the attack vector is reflected XSS, i.e. that code (HTML/JS/etc.) is taken from the attacker's input, stored in the database by the server and later injected straight into another user's page, sanitizing it "before being sent to the server" would mean relying on the attacker helpfully sanitizing their own data.
That doesn't sound right. If the attack vector is reflected XSS, i.e. that code (HTML/JS/etc.) is taken from the attacker's input, stored in the database by the server and later injected straight into another user's page, sanitizing it "before being sent to the server" would mean relying on the attacker helpfully sanitizing their own data.
reply