Context Defense String HTML Body HTML EnKty Encode String HTML ALribute Minimal ALribute Encoding String GET Parameter URL Encoding String Untrusted URL URL ValidaKon, avoid javascript: URLs, ALribute encoding, safe URL verificaKon String CSS Strict structural validaKon, CSS Hex encoding, good design HTML HTML Body HTML ValidaKon (JSoup, AnKSamy, HTML SaniKzer) Any DOM DOM XSS Cheat Sheet Untrusted JavaScript Any Sandboxing JSON Client Parse Time JSON.parse() or json2.js Safe HTML Attributes include: align, alink, alt, bgcolor, border, cellpadding, cellspacing, class, color, cols, colspan, coords, dir, face, height, hspace, ismap, lang, marginheight, marginwidth, multiple, nohref, noresize, noshade, nowrap, ref, rel, rev, rows, rowspan, scrolling, shape, span, summary, tabindex, title, usemap, valign, value, vlink, vspace, width