Demonstrating the problem
During XSS demos and vulnerability testing, it's easy to use some code like
- Changed the site title and site email address.
- Changed the administrator's username, email, and password.
- Set a site-offline message and put the site in offline status.
Protecting against XSS
The most effective method to protect against cross-site scripting is to disable the use of the Full HTML input format by anonymous users. In general, you should understand how to configure your site securely and know what actions you allow untrusted users to perform.
Note that Drupal does not come by default with Full HTML enabled for anonymous users.
Be mindful of contributed modules
It's also common that contributed modules print user-supplied data insecurely, which can make the site more vulnerable for an XSS attack. Popular modules are often more vetted and secure, and thus safer to use. Also, if you're developing your own code, be sure that you're correctly using the APIs and following best practices .