Merge pull request #439 from bugcrowd/self-reflected-xss

update rec for self-reflected XSS
bugcrowd · May 15, 2024 · f5b8ccc · f5b8ccc
2 parents 1d2d25f + 8fddd1d
commit f5b8ccc
Showing 1 changed file with 2 additions and 6 deletions.
diff --git a/submissions/description/cross_site_scripting_xss/reflected/self/recommendations.md b/submissions/description/cross_site_scripting_xss/reflected/self/recommendations.md
@@ -1,10 +1,8 @@
 # Recommendations
 
-All user input fields should be sanitized based on what the field is likely to contain. For example, a date of birth field should only contain a maximum of 10 characters consisting of numbers and forward slashes. Additionally, drop down or pick lists can be used for allowable inputs to ensure expected values are sent to the server.
+All user input fields should be validated and sanitized based on what the field is likely to contain. For example, a date of birth field should only contain a maximum of 10 characters consisting of numbers and forward slashes. Drop down or pick lists can be used for allowable inputs to ensure expected values are sent to the server. Similarly, output encoding should be used to properly escape user input and dynamic content when it is displayed on a page.
 
-Encode outputs of HTTP responses to prevent them from being interpreted as active content.
-
-Use appropriate HTTP response headers to ensure the browser correctly interprets responses. For example:
+Additionally, use appropriate HTTP response headers to ensure the browser correctly interprets responses. For example:
 
 ``` HTTP
 
@@ -13,8 +11,6 @@ Use appropriate HTTP response headers to ensure the browser correctly interprets
 
 ```
 
-Ensure access controls are managed on the principle of least privilege, and are routinely audited for unnecessary access.
-
 For more information, please see:
 
 - <https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html>