{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,8]],"date-time":"2026-01-08T00:25:56Z","timestamp":1767831956257,"version":"3.49.0"},"reference-count":16,"publisher":"Association for Computing Machinery (ACM)","issue":"5","license":[{"start":{"date-parts":[[2011,9,30]],"date-time":"2011-09-30T00:00:00Z","timestamp":1317340800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["SIGSOFT Softw. Eng. Notes"],"published-print":{"date-parts":[[2011,9,30]]},"abstract":"<jats:p>Proliferation of social networking sites, and web applications which deliver dynamic content to the clients have increased the user created HTML content in the World Wide Web. This user-created HTML content can be a notorious vector for Cross-Site Scripting,(XSS) attacks. XSS attacks have the ability to target websites, steal confidential information of the users, and hijack their accounts, etc. XSS attacks are launched to exploit the vulnerabilities of the poorly developed application code and data processing systems. In particular, improper validation of user created content and un-sanitized custom error messages introduce vulnerability for XSS attacks. It is a challenging task for any security mechanism to filter out only the harmful HTML content and retain safe content with high fidelity and robustness. This has motivated us to develop a mechanism that filters out the harmful HTML content, and allows safe HTML. The existing solutions to XSS attack include use of regular expressions to detect the presence of dynamic content and client side filtering mechanisms such as Noscript and Noxes tool. The drawbacks of these solutions are low fidelity and disallowing of benign HTML. In order to overcome these drawbacks BIXSAN, a Browser Independent XSS SANitizer for prevention of XSS attacks is proposed in this paper. BIXSAN includes the proposition of three pronged strategy. These strategies are as follows: Firstly the use of complete HTML parser is proposed rather than approximating the behavior of parser. The advantage of using complete HTML parser is that it offers high fidelity. Secondly the use of modified browser, viz., JavaScript Tester is proposed to detect the presence of JavaScript for filtering it out. Thirdly, identification of static tags is proposed for allowing the benign HTML. Further, BIXSAN includes the proposition of a parse tree generator at client side browser to reduce the anomalous behavior of browsers. BIXSAN was experimented in various browsers such as Opera, Netscape, Internet Explorer (IE), and Firefox and found to work for all the browsers. From the experiments conducted it has been found that the proposed BIXSAN prevents the injection of XSS attack code successfully. Further, it has been verified that BIXSAN reduces the anomalous behavior of browse.<\/jats:p>","DOI":"10.1145\/2020976.2020996","type":"journal-article","created":{"date-parts":[[2011,10,11]],"date-time":"2011-10-11T14:29:02Z","timestamp":1318343342000},"page":"1-7","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":6,"title":["BIXSAN"],"prefix":"10.1145","volume":"36","author":[{"given":"Sharath Chandra","family":"V.","sequence":"first","affiliation":[{"name":"National Institute of Technology, Tiruchirappalli - 620015, Tamil Nadu, India"}]},{"given":"S.","family":"Selvakumar","sequence":"additional","affiliation":[{"name":"National Institute of Technology, Tiruchirappalli - 620015, Tamil Nadu, India"}]}],"member":"320","published-online":{"date-parts":[[2011,9,30]]},"reference":[{"key":"e_1_2_1_1_1","doi-asserted-by":"crossref","first-page":"19","DOI":"10.1787\/9789264037472-en","volume-title":"Technology and Industry, Participative Web and User-Created Content: Web 2.0, Wikis and Social Networking","author":"Science OECD","year":"2007","unstructured":"OECD Directorate for Science , Technology and Industry, Participative Web and User-Created Content: Web 2.0, Wikis and Social Networking . OECD Publishing , Oct. 2007 Ch. 2, pp. 19 -- 25 . OECD Directorate for Science, Technology and Industry, Participative Web and User-Created Content: Web 2.0, Wikis and Social Networking. OECD Publishing, Oct. 2007 Ch. 2, pp.19--25."},{"key":"e_1_2_1_2_1","unstructured":"Open Web Application Security Project \"OWASP Top ten web vulnerabilities \"https:\/\/www.owasp.org\/index.php\/Top_10_2007  Open Web Application Security Project \"OWASP Top ten web vulnerabilities \"https:\/\/www.owasp.org\/index.php\/Top_10_2007"},{"key":"e_1_2_1_3_1","unstructured":"\"XSSed | Cross Site Scripting (XSS) attacks information and archive\" www.xssed.com  \"XSSed | Cross Site Scripting (XSS) attacks information and archive\" www.xssed.com"},{"issue":"2","key":"e_1_2_1_4_1","first-page":"8","article-title":"Cross Site Scripting-Latest developments and solutions: A survey Int","volume":"1","author":"Shanmugam Jayamsakthi","year":"2008","unstructured":"Jayamsakthi Shanmugam and M. Ponnavaikko \" Cross Site Scripting-Latest developments and solutions: A survey Int . J. Open Problems Compt. Math. , Vol. 1 , No. 2 , pp. 8 -- 28 , September 2008 Jayamsakthi Shanmugam and M. Ponnavaikko \"Cross Site Scripting-Latest developments and solutions: A survey Int. J. Open Problems Compt. Math., Vol. 1, No. 2, pp. 8--28, September 2008","journal-title":"J. Open Problems Compt. Math."},{"key":"e_1_2_1_5_1","unstructured":"\"Cross-site scripting -- Wikipedia\" http:\/\/en.wikipedia.org\/wiki\/Cross-site_scripting.  \"Cross-site scripting -- Wikipedia\" http:\/\/en.wikipedia.org\/wiki\/Cross-site_scripting."},{"key":"e_1_2_1_6_1","unstructured":"\"Same origin policy\" http:\/\/en.wikipedia.org\/w\/index.php?title=Same originpolicy&oldid=190222964  \"Same origin policy\" http:\/\/en.wikipedia.org\/w\/index.php?title=Same originpolicy&oldid=190222964"},{"key":"e_1_2_1_7_1","unstructured":"\"HTTP cookie -- Wikipedia\" http:\/\/en.wikipedia.org\/wiki\/HttpOnly#cookie_theft.  \"HTTP cookie -- Wikipedia\" http:\/\/en.wikipedia.org\/wiki\/HttpOnly#cookie_theft."},{"key":"e_1_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1145\/1141277.1141357"},{"key":"e_1_2_1_9_1","unstructured":"D. Ross \"IE 8 XSS filter architecture \/ implementation \" http:\/\/blogs.technet.com\/swi\/archive\/2008\/08\/19\/ie-8-xss-filterarchitecture-implementation.asp  D. Ross \"IE 8 XSS filter architecture \/ implementation \" http:\/\/blogs.technet.com\/swi\/archive\/2008\/08\/19\/ie-8-xss-filterarchitecture-implementation.asp"},{"key":"e_1_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1145\/1772690.1772701"},{"key":"e_1_2_1_11_1","volume-title":"for filter evasion","author":"Hansen R.","year":"2008","unstructured":"R. Hansen , \" XSS (cross site scripting) cheat sheet esp : for filter evasion ,\" 2008 . http:\/\/ha.ckers.org\/xss.html R. Hansen, \"XSS (cross site scripting) cheat sheet esp: for filter evasion,\" 2008. http:\/\/ha.ckers.org\/xss.html"},{"key":"e_1_2_1_12_1","unstructured":"E.Z. zang \"HTML purifier: default whitelist\" available: http:\/\/htmlpurifier.org\/live\/smoketests\/printDefinition.php  E.Z. zang \"HTML purifier: default whitelist\" available: http:\/\/htmlpurifier.org\/live\/smoketests\/printDefinition.php"},{"key":"e_1_2_1_13_1","unstructured":"World Wide Web consortium \"Document Object Model level 2 core specification \"http:\/\/www.w3c.org\/TR\/DOM-level-2-core\/  World Wide Web consortium \"Document Object Model level 2 core specification \"http:\/\/www.w3c.org\/TR\/DOM-level-2-core\/"},{"key":"e_1_2_1_14_1","unstructured":"Conceptual architecture of firefox. http:\/\/web.uvic.ca\/~hitchner\/assign1.pdf  Conceptual architecture of firefox. http:\/\/web.uvic.ca\/~hitchner\/assign1.pdf"},{"key":"e_1_2_1_15_1","unstructured":"M. wallent \"about Dynamic properties\". http:\/\/msdn.microsoft.com\/en-us\/library\/ms537634.aspx  M. wallent \"about Dynamic properties\". http:\/\/msdn.microsoft.com\/en-us\/library\/ms537634.aspx"},{"key":"e_1_2_1_16_1","unstructured":"XSS(cross site scsripting ) prevention cheat sheet OWASP http:\/\/www.owasp.org\/index.php\/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet  XSS(cross site scsripting ) prevention cheat sheet OWASP http:\/\/www.owasp.org\/index.php\/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet"}],"container-title":["ACM SIGSOFT Software Engineering Notes"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2020976.2020996","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/2020976.2020996","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T09:54:22Z","timestamp":1750240462000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2020976.2020996"}},"subtitle":["browser independent XSS sanitizer for prevention of XSS attacks"],"short-title":[],"issued":{"date-parts":[[2011,9,30]]},"references-count":16,"journal-issue":{"issue":"5","published-print":{"date-parts":[[2011,9,30]]}},"alternative-id":["10.1145\/2020976.2020996"],"URL":"https:\/\/doi.org\/10.1145\/2020976.2020996","relation":{},"ISSN":["0163-5948"],"issn-type":[{"value":"0163-5948","type":"print"}],"subject":[],"published":{"date-parts":[[2011,9,30]]},"assertion":[{"value":"2011-09-30","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}