6.5.7 Cross-site scripting (XSS)
6.5.7 Examine software-development policies and procedures and interview responsible personnel to verify that cross-site scripting (XSS) is addressed by coding techniques that include
• Validating all parameters before inclusion
• Utilizing context-sensitive escaping.
XSS flaws occur whenever an application takes user-supplied data and sends it to a web browser without first validating or encoding that content. XSS allows attackers to execute script in the victim’s browser, which can hijack user sessions, deface
web sites, possibly introduce worms, etc.