… blacklisting strings such as "1 OR 1=1" and "UNION" from input.
… using an intrusion detection system to detect attacks.
… whitelisting input (e.g. only allowing alphanumerical characters and spaces).
… use of prepared statements or parametrized queries.
… segmenting database accounts and minimizing their user rights.
The attacker may be able to run arbitrary code on the user's machine.
The attacker can exploit a XSS vulnerability in order to impersonate a user.
Reflected XSS vulnerabilities can only be triggered if the user performs a certain action.
The user cannot do anything to protect himself against reflected XSS on a page that he normally trusts.
An XSS payload may use AJAX requests to persistently infect multiple pages on the host.
Converting HTML control characters such as < to HTML entities such as <.
Only allowing certain 'safe' tags for formatting, such as <b>, <i>, <p>, <br>.
Using special tags (such as [url=...]) and converting them to HTML
Using a HTML filter library to remove potential XSS code from output.
In HTML5, AJAX calls can read from other domains without restrictions.
Thanks to the new possibilities of HTML5, an attacker can steal data from an iframe through ClickJacking.
If a page does not use the new features introduced by HTML5, it is a good way to protect against the new security risks introduced by those features.
HTML5 makes it easier to protect against XSS.
Local Storage cannot be directly manipulated by XSS.
… modify other currently running scripts.
… simulate user clicks in the browser.
… run arbitrary native code on the user’s machine.
… modify user session data.