I come across one interesting thing today, looks like Chrome and Safari are more advanced in preventing XSS attacks than other browsers. To check this, write a small submit form as below
Test1.jsp
Test1.jsp
<body>
<form method="get" action="test2.jsp">
Attack using this box : <input type="text" name="attack"/>
<input type="submit"/>
</form>
</body>
and a page to handle the submit
Test2.jsp
<%=request.getParameter("attack")%>
open the first one in a browser --> enter "<script> alert('hi......'); </script>" in the text box --> submit.
IE, Firefox, Opera - will show you an alert box with message "hi......"
Chrome and Safari - will not show anything but a blank screen.
In Chrome Console you can see the below error,
Refused to execute a JavaScript script. Source code of script found within request.
chrome detects the same source code in request and response and prevents the XSS attack. Same for Post method too.