Protection Against Xss Exploits

Protection against XSS exploits?

To prevent from XSS attacks, you just have to check and validate properly all user inputted data that you plan on using and dont allow html or javascript code to be inserted from that form.
Or you can you Use htmlspecialchars() to convert HTML characters into HTML entities. So characters like <> that mark the beginning/end of a tag are turned into html entities and you can use strip_tags() to only allow some tags as the function does not strip out harmful attributes like the onclick or onload.

How can I prevent XSS attack in Asp.net Webforms?

You can do at least two things:

Clean HTML fragments and documents from constructs that can lead to XSS attacks using HtmlSanitizer library.
Start using content security policy headers to prevent inline execution of the possible injected scripts.

Using `json_encode` to protect against XSS attacks

The encoding to use depends on the output format, so you should use either json_encode or htmlentities depending on the context. This means that the escaping needs to be done on output rather than input. Then any characters added or modified don't affect the rest of the system.

When writing to a JavaScript variable, then the double quotes become part of the JavaScript string syntax, and don't need to be removed:

<script>
    console.log(JSON.parse(<?= json_encode($value, JSON_HEX_QUOT|JSON_HEX_TAG|JSON_HEX_AMP|JSON_HEX_APOS) ?>));
</script>

When writing to html, then use htmlentities only:

<div>
    <?= htmlentities($value); ?>
</div>

How to protect against XSS attacks in Grails app

When you render a field in your view that could potentially contain an XSS attack, you need to encode it as HTML. You should make all fields that contain user input are encoded. All of the standard Grails tags encode as HTML. If you use ${} in a view though, that's where you can run into trouble. You need to either manually encode it like ${colorname.encodeAsHTML()} or use a tag like fieldValue if it's a bean property.

You can also set the global default codec with grails.views.default.codec = "html" in Config.groovy.

Watch out for double encoding and making sure you encode as HTML in your custom tags.

You also reference SQL injection attacks, which are different from XSS attacks. You're only at risk of SQL injection if you're writing your own SQL or HQL and directly interpolating user input into the SQL/HQL. That means do Colors.executeQuery("from Colors where name like ?", params.colorname) instead of Colors.executeQuery("from Colors where name like $params.colorname").

Escaping Good Enough to Prevent XSS Attacks

No, for the HTML body you will also need to encode the & character to prevent an attacker from potentially escaping the escape.

Check out the XSS Experimental Minimal Encoding Rules:-

HTML Body (up to HTML 4.01):
HTML Entity encode < &
specify charset in metatag to avoid UTF7 XSS
XHTML Body:
HTML Entity encode < & >
limit input to charset http://www.w3.org/TR/2008/REC-xml-20081126/#charsets

Note that if you want to enter stuff inside of an attribute value, then you need to properly encode all characters with special meaning. The XSS (Cross Site Scripting) Prevention Cheat Sheet mentions to encode the following characters:-

&,<, >, ", ', /

You must also quote the attribute value for the escaping to be effective.

prevent XSS attacks In JSPs

Do not save escaped data, escape it when you need to display it:

The way to escape it depends of the context you wants to display it, so if you save it escaped, it will be only usable in that context, and most of the time, escaping functions are not bijectives, so you will loose information.

For the way to encode it to display it in an html context, both ways seams correct.

Additionally, to improve the protection against XSS, you should look into CSP (content security policy), it helps a lot, especially for new projects.

Protection Against Xss Exploits