== Stored XSS
One way to prevent stored XSS is the usage of https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project[OWASP AntiSamy]. AntiSamy can produce a "clean" string based on an adjustable policy file.

See the java class below, which saves a comment into a database.

[source,java]
-------------------------------------------------------
public class MyCommentDAO {

    public static void addComment(int threadID, int userID, String newComment) {

                String sql = "INSERT INTO COMMENTS(THREADID, USERID, COMMENT) VALUES(?,?,?);";

                try {
                        PreparedStatement stmt = connection.prepareStatement(sql);

                        stmt.setInt(1, threadID);
                        stmt.setInt(2, userID);
                        stmt.setString(3, newComment);

                        stmt.executeUpdate();
                } catch (SQLException e) {
                        e.printStackTrace();
                }
        }
}
-------------------------------------------------------


And here is a Java class that uses the addComment function

[source,java]
-------------------------------------------------------
import org.owasp.validator.html.*;
import MyCommentDAO;

public class AntiSamyController {
    ...
    public void saveNewComment(int threadID, int userID, String newComment){
        MyCommentDAO.addComment(threadID, userID, newComment);
    }
    ...
}
-------------------------------------------------------
As you can see the Java file stores unfiltered user input into the database.
You have the whole malicious code stored in your database now.

== It is your turn!
Try to prevent this kind of XSS by creating a clean string inside the saveNewComment() function. Use the "antisamy-slashdot.xml" as a policy file for this example: