Sanitize user input:
- Validate to catch potentially malicious user-provided input.
- Encode output to prevent potentially malicious user-provided data from triggering automatic load-and-execute behaviour by a browser.
Limit use of user-provided data:
- Only use where it’s necessary.
Utilize the Content security policy:
- Provides additional levels of protection and mitigation against XSS attempts.