Technology Notebook

XSS, Cookies, and Session ID Authentication ? Three Ingredients for a Successful Hack > The Fixes: "There are a few things that the web developers could do to help prevent these types of attacks. First, all form fields should be filtered to prevent XSS attacks. This is typically as simple as filtering just the '<' and '>' characters, but can be extended beyond that to also include '&*^%%$#@!(){}[]\|';:/?.,>'. The point is to think about what characters are actually needed. Second, a user should never be allowed to upload a file that could be executed on the server. In other words, an upload script should be limited to just those files that are necessary for business. In addition to this, I would suggest uploading files to a non-executable directory on the webserver (e.g. /home/files vs. /home/www/files)."