XSS Prevention: One Line of Encoding That Stops 90% of Attacks
According to OWASP 2025, improper output encoding remains in the top 3 web vulnerabilities. The fix? One line:
element.innerHTML = encodeHtml(userInput);
Why It Works
XSS requires the browser to interpret user input as code. HTML entity encoding turns <script> into harmless text: <script>.
Attack Types Stopped
- Reflected XSS (URL parameters)
- Stored XSS (comments, forums)
- DOM-based XSS via innerHTML
When CSP and Frameworks Aren’t Enough
Content Security Policy blocks inline scripts, but many legacy apps can’t use it. Frameworks help only if you stay in their rendering path. Direct DOM writes bypass everything — except encoding.
FAQ
Isn’t XSS dead in 2025?
No. 68% of reported breaches in 2024 still involved some form of injection.
The simplest defense is often the strongest.