13. What is Cross-Site Scripting (XSS) and how can we prevent it?
hard
Cross-Site Scripting (XSS) is a common security vulnerability that allows an attacker to inject malicious code into a website, potentially allowing them to steal user data or perform unauthorized actions on behalf of the user.

To prevent XSS attacks, you can use various techniques such as input validation, output encoding, and same-origin policy.
const input = document.getElementById('input');

function validateInput(value) {
  // Check for expected format and content
  const regex = /^[a-zA-Z0-9]+@[a-zA-Z0-9]+\.[a-zA-Z]{2,}$/;
  return regex.test(value);
}

function encodeOutput(value) {
  const encodedValue = value.replace(/<script>/g, '<script>');
  return encodedValue;
}

input.addEventListener('keyup', function() {
  const inputValue = this.value;
  if (!validateInput(inputValue)) {
    alert('Invalid input! Please enter a valid email address.');
    return;
  }
  // Encode output
  const encodedOutput = encodeOutput(inputValue);
  console.log(encodedOutput);
});

In this example, we are checking the user's input for a valid email address using the `validateInput()` function. We also use the `encodeOutput()` function to convert any special characters in the input value to their corresponding HTML entities.
To further prevent XSS attacks, you can also use Content Security Policy (CSP) headers to specify which resources are allowed to be loaded on your website. CSP helps prevent attacks by allowing you to define a whitelist of approved sources for scripts, stylesheets, and other resources.
const policy = 'default-src 'self' https://example.com; 
 script-src 'self' https://example.com;
style-src 'self' https://example.com;
font-src 'self' https://example.com; img-src 'self' data:;';

const element = document.createElement('meta');
element.name = 'Content-Security-Policy';
element.content = policy;
document.head.appendChild(element);
In this example, we are setting the `Content-Security-Policy` header to allow resources from the `self` origin (i.e., the same domain as the website) and the `https://example.com` origin. We also specify allowed sources for scripts, stylesheets, fonts, and images.

Overall, preventing XSS attacks requires a combination of input validation, output encoding, and same-origin policy enforcement. By implementing these techniques, you can protect your website and user data from malicious attacks.