...
Several subsystems exist for the purpose of showing output. An HTML renderer, as part of a web browser, is one common subsystem for displaying output. Since data that is Data sent to an output subsystem might not come directly from an untrusted sourcemay appear to originate from a trusted source; consequently, it is tempting to assume that no sanitization is required. Data that is not properly sanitized for these output sanitization is unnecessary. However, data sent to an output subsystem may indirectly originate from an untrusted source, and may include malicious content. Failure to properly sanitize data for output subsystems can enable several types of attacks. For example, an HTML renderer renderers can be prone to HTML injection and Cross-Site Scripting (XSS) [OWASP 2011] attacks. (Note that, although this is not necessarily an attack from one site to another, however, that the term "Cross-Site Scripting attack" is still generally applied to such attacks even when they involve only one site.) Therefore, output Output sanitization to prevent such attacks is as vital as input sanitization.
As with input validation, normalize data before sanitizing for malicious characters. All Properly encode all output characters other than those known to be safe should be encoded to avoid vulnerabilities caused by data that bypasses validation. See IDS01-J. Normalize strings before validating them for more information.
...
This noncompliant code example uses the MVC concept of the Java EE based Spring Framework to display data to the user without encoding or escaping it. Since Because the data is sent to a web browser, then the code is subject to both HTML injection and XSS attacks.
...
The Apache GERONIMO-1474 vulnerability, reported in January 2006, allowed attackers to submit URLs containing JavaScript. The Web-Access-Log viewer did not failed to sanitize the data it forwarded to the administrator console, thereby enabling a classic Cross-Site Scripting attack.
...