WebGoat/webgoat-lessons/cross-site-scripting/src/main/resources/lessonPlans/en/CrossSiteScripting_content8-off.adoc

== DOM-based XSS Defense

* Attacker creates url:
+
----
http://mylogin.com/login?error=<script>alert(“xss”)</script>
----

* JavaScript must enforce input validation
+
----
  if ( errorMsg\[1\].match(/^[ a-zA-Z0-9:-]$/))  
  {
      document.write(‘some error’);
  }
  else
  {
    document.write('<b>'+errorMsg\[1\]+'</b>'); 
  }
----