I'm trying to prevent possible cross-site scripting attacks for our internal use app (but available publicly outside the firewall).
I tried encoding/escaping but they skip the single quote. This is a case where I'm just passing the url through. But theoretically, if an attacker tricked somebody into launching his site when they are in ours, then I guess he could get script to execute in our page.
View Complete Post