rashmi said:
i want to restrict the user not to write anything in the URL
You cannot restrict a user in that; he can type any URL he wants. You
can only perform a check at the server once the URL has arrived there.
if the the user is accessing the URL like
http://localhost:8100/cms/login.jsp?txtname=rashmiand if he will
write the in the url like
http://localhost:8100/cms/login.jsp?txtname=<script>alert("ras");
</script>rashmi
then how i will restrict the user to do that.
And what about the following derivates ? Just to give a few examples:
<script>alert("ras");</script>
%3Cscript%3Ealert("ras");%3C%2Fscript%3E
%26lt%3Bscript%26gt%3Balert%28%22ras%22%29%3B%26lt%2Fscript%26gt%3B
\u003Cscript\u003Ealert("ras");\u003C/script\u003E
%%33Cscript>alert("ras");</script>
%253Cscript>alert("ras");</script>
%253Cscript>alert("ras");</script>
<script>alert("ras");</script>
%26%260060%3Bscript>alert("ras");</script>
\x3Cscript>alert("ras");</script>
%5Cx3Cscript>alert("ras");</script>
...
http://en.wikipedia.org/wiki/Cross_site_scripting#Other_forms_of_mitigation
| But due to the flexibility and complexity of HTML and related
| standards, and the continuous addition of new features, it is
| almost impossible to know for sure if all possible injections
| are eliminated. In order to eliminate certain injections, any
| server-side algorithm must either reject broken HTML, understand
| how every browser will interpret broken HTML, or (preferably)
| fix the HTML to be well-formed.
