XSS prevention

Front-end server

User input validation on the front-end and back-end.

Email validation

function validateEmail(email) {
	const re = /^(([^<>()[\]\\.,;:\s@\"]+(\.[^<>()[\]\\.,;:\s@\"]+)*)|(\".+\"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$/;
	return re.test($("#login input[name=email]").val());
}

Input sanitization (using DOMpurify library)

<script type="text/javascript" src="dist/purify.min.js"></script>
let clean = DOMPurify.sanitize( dirty );

Direct Input

Always ensure that we never use user input directly within certain HTML tags:

JavaScript code <script></script>
CSS style code <style></style>
Tag/Attribute fields <div name='INPUT'></div>
HTML Comments <!-- -->

Back-end server

Email validation using regex or library functions

Input sanitization

PHP:
	addslashes function
	htmlentities function
	htmlspecialchars function
	
JavaScript:
	DOMPurify library
	html-entities library (import encode from 'html-entities';)

Server configurations

Use HTTPS
XSS prevention headers
Use X-Content-Type-Options=nosniff
Use Content-Security-Policy options, like script-src 'self', which allows locally hosted scripts
Use HttpOnly and secure cookie flags

Web Application Firewall (WAF)