2 min read
What it is
Cross-site scripting (XSS) is an attack where malicious script is injected into a page and runs in a victim’s browser. Untrusted HTML is the classic vector.
In the Credicorp API
To reduce XSS risk, the CMS endpoint sanitises its HTML before serving it. Because you are ultimately responsible for what renders on your page, still apply your framework’s escaping and a Content-Security-Policy. See HTML sanitisation.
Frequently asked questions
Does sanitisation alone stop XSS?
It removes the obvious vectors, but you should layer your own escaping and a Content-Security-Policy at render time. Defence in depth is the rule.
Funding for UK limited companies
Credicorp lends to your company, not to you personally — short-term working capital with no personal guarantee. See what your business could access.