Crucial Exams

ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Practice Question

During security testing of a new customer support portal, the team confirms that every form field is validated against a strict allow-list for length and allowed characters. Despite this, stored cross-site scripting is still possible because attackers embed HTML in comment text that is later rendered to other users. Which additional secure coding measure most directly eliminates this vulnerability?

  • Replace the allow-list with a deny-list that strips known dangerous tags such as

Answer Description

Allow-list input validation helps reduce unexpected data, but it does not neutralize markup that is still permitted by the rules. When untrusted content is later inserted into an HTML page, the browser interprets any remaining tags or script. Context-aware output encoding (for example, HTML entity encoding or JavaScript string encoding) converts the characters that have special meaning in the target context into harmless representations before the data is delivered to the client. This prevents the browser from executing the attacker's scripts. Enforcing HTTPS or HSTS protects data in transit but does not stop XSS. Relocating validation to the client merely duplicates checks an attacker can bypass. Switching to a deny-list that strips known dangerous tags is brittle and frequently bypassed; modern guidance favors allow-list validation plus proper output encoding.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.

What is stored cross-site scripting (XSS)?
Open an interactive chat with Bash
What is context-aware output encoding?
Open an interactive chat with Bash
Why is a deny-list approach insufficient for eliminating XSS vulnerabilities?
Open an interactive chat with Bash
What is context-aware encoding, and why is it effective for preventing stored XSS attacks?
Open an interactive chat with Bash
Why does allow-list validation alone not fully eliminate stored XSS vulnerabilities?
Open an interactive chat with Bash
What is the difference between allow-list and deny-list validation, and why is an allow-list preferred?
Open an interactive chat with Bash
ISC2 Certified Secure Software Lifecycle Professional (CSSLP)
Secure Software Implementation
Your Score:
Settings & Objectives
Random Mixed
Questions are selected randomly from all chosen topics, with a preference for those you haven’t seen before. You may see several questions from the same objective or domain in a row.
Rotate by Objective
Questions cycle through each objective or domain in turn, helping you avoid long streaks of questions from the same area. You may see some repeat questions, but the distribution will be more balanced across topics.

Check or uncheck an objective to set which questions you will receive.

Wipe Score
Bash, the Crucial Exams Chat Bot
AI Bot