Avoiding XSS

The main defense is to filter all user input before sending it back to the browser
In particular, it is recommended that these characters: < > ( ) & # be filtered
- < > ( &#41 & # are substitutes
- Usually the language has a function to call to do that for you: htmlentities(), cgi.escape(), etc.

The main defense is to filter all user input before sending it back to the browser