Java SE 7 Programmer II — Question 6

Which two measures are most effective in protecting websites from cross site scripting (XSS) attacks?

Answer options

• A. Escape "<" and ">" parameters that displayed or evaluated by the JavaScript interpreter.
• B. URL-encode "<" and ">"parameters so they will never be evaluated by the JavaScript Interpreter.
• C. Ensure that the session cookie is sent only on HTTPS connections.
• D. Treat all user-supplied input as unsafe, and white list known good characters
• E. Execute all user-supplied scripts in a server-side sandbox.

Correct answer: C, E

Explanation

Option C is correct because ensuring that the session cookie is transmitted only over HTTPS protects it from being intercepted. Option E is also correct as running user-supplied scripts in a server-side sandbox mitigates the risk of XSS attacks by preventing execution in the client's browser. Options A, B, and D are relevant to XSS prevention but do not directly address the most effective measures compared to C and E.