Originally Posted by sbhmf
basically, my question is to all readers here who mitigate scripting attack risk on the client side, what is your preferred method, and why?
client side scripting has nothing to do with XSS attacks. i know that sounds funny, but it's true. XSS results from a failure of the server that saves and re-distributes user-entered data without sanitizing it correctly.
in theory, using ajax, it might be possible to filter XSS from user-entered data, but the page would not work without JS, the content would be invisible to search engines by default, and you would have to maintain your scrubber code as new escape sequences and attack patterns are developed.
usually, the raw values don't show up from ajax, they hide in a <title> tag on an items view page, or in the title attrib of a list view. again, this points to the fact that the issue is in the html delivered by the server, not the js code itself. by the time any of your js executes, it's already too late...