Security (1/4)
How does HTML help prevent XSS?
    HTML Practices to Prevent Cross-Site Scripting (XSS)

    Cross-Site Scripting (XSS) happens when malicious scripts are injected into web pages viewed by other users. While HTML alone cannot fully prevent XSS, using proper HTML practices and attributes helps reduce risks by controlling how content is rendered and interpreted by the browser.

    Ways HTML Helps Prevent XSS
    • **Proper Escaping:** HTML entities (`<`, `>`, `&`) prevent user input from being treated as executable code.
    • **`<script>` Restrictions:** Avoid inline scripts in HTML to reduce injection points.
    • **`<iframe>` sandboxing:** Using the `sandbox` attribute limits what embedded content can do.
    • **Content Security Policies (CSP):** Applied via `<meta http-equiv>` in HTML to restrict inline scripts and unsafe resources.
    • **`<input>` Attributes:** Attributes like `maxlength`, `pattern`, and `type` help limit unsafe input at the client-side.
    Example of Escaping User Input in HTML

    In short: HTML by itself doesn’t eliminate XSS but provides attributes and escaping mechanisms that, when combined with server-side validation and CSP, greatly reduce the risk of script injection.