transmits it to a malicious third party.

               At this point, you’re probably asking yourself how anyone would fall
               victim to this type of attack. After all, you’re not going to attack

               yourself by embedding scripts in the input that you provide to a web
               application that performs reflection. The key to this attack is that it’s
               possible to embed form input in a link. A malicious individual could
               create a web page with a link titled “Check your account at First Bank”
               and encode form input in the link. When the user visits the link, the

               web page appears to be an authentic First Bank website (because it is!)
               with the proper address in the toolbar and a valid digital certificate.
               However, the website would then execute the script included in the
               input by the malicious user, which appears to be part of the valid web
               page.

               What’s the answer to cross-site scripting? When you create web
               applications that allow any type of user input, you must be sure to

               perform input validation. At the most basic level, you should never
               allow a user to include the <SCRIPT> tag in a reflected input field.
               However, this doesn’t solve the problem completely; there are many
               clever alternatives available to an industrious web application
               attacker. The best solution is to determine the type of input that you
               will allow and then validate the input to ensure that it matches that
               pattern. For example, if you have a text box that allows users to enter

               their age, you should accept only one to three digits as input. Your
               application should reject any other input as invalid.



                          For more examples of ways to evade cross-site scripting


                  filters, see
                  https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet




               Cross-Site Request Forgery

               Cross-site request forgery attacks, abbreviated as XSRF or CSRF
               attacks, are similar to cross-site scripting attacks but exploit a
               different trust relationship. XSS attacks exploit the trust that a user

               has in a website to execute code on the user’s computer. XSRF attacks