Content spoofing is a subset of XSS, while reflected XSS involves submitting malicious javascript code in HTTP requests

Content spoofing uses advanced javascript frameworks, while reflected XSS considers the types of input in HTTP requests

Content spoofing involves running attack-driven code in the client browser, while reflected XSS hides legitimate page content with absolutely positioned elements

Content spoofing allows users to change a portion of the URL to modify content directly, while reflected XSS involves tampering with HTTP requests

Html validation and sanitisation

Secure JSON patterns

Contextual output encoding

Input validation

Html validation and sanitisation

Input validation

Secure JSON patterns

Contextual output encoding

When you want to allow all HTML without any restrictions

When you want users to submit any HTML to your website

When you want to allow only a limited subset of HTML and remove dangerous attributes

When you want to eliminate all HTML from user submissions

To deliver an HTML file without data and then populate it with JSON

To populate HTML files with untrusted data directly

To increase the attack surface by allowing untrusted data in JSON

To prevent XSS attacks by parsing JSON data using the eval function

Javascript block content

Javascript attribute context

Attribute context

HTML context

Use JSON.parse to avoid untrusted data in JSON

Use the eval function to prevent untrusted data from coming through

Use HTML sanitisation to parse JSON data

Use unpopulated HTML files for JSON data