Cross-site script injection (XSS) and HTML encoding attacks
are two of the most common security issues that plague web-sites and
applications. They occur when hackers find a way to inject client-side
script or HTML markup into web-pages that are then viewed by other visitors to
a site. This can be used to both vandalize a site, as well as enable
hackers to run client-script code that steals cookie data and/or exploits a
user’s identity on a site to do bad things.
One way to help mitigate against cross-site scripting
attacks is to make sure that rendered output is HTML encoded within a
page. This helps ensures that any content that might have been
input/modified by an end-user cannot be output back onto a page containing tags
like <script> or <img> elements.