Drupal Text Output Security Guidelines
This article was published in the print magazine Drupal Watchdog, Volume 6 Issue 3, , on page 9, by Linux New Media.
In the ongoing battle against website attacks based on the techniques of cross-site scripting (XSS), the essential strategy is to prevent user-added text from later being displayed on your site without filtering out potentially malicious JavaScript code, which would be executed in the web browsers of unsuspecting visitors. Drupal makes it easier for site builders to prevent these attacks, but such best practices may not be implemented if those builders are unaware of them. One of the Drupal.org documentation pages offers helpful advice on sanitizing user-provided text.
