Update Cross_Site_Scripting_Prevention_Cheat_Sheet.md (#1457)

* Update Cross_Site_Scripting_Prevention_Cheat_Sheet.md * Fix trailing space lint errors * Update cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md Co-authored-by: Shlomo Zalman Heigh <shlomozalmanheigh@gmail.com> --------- Co-authored-by: Shlomo Zalman Heigh <shlomozalmanheigh@gmail.com>
OWASP · Jul 31, 2024 · de97355 · de97355
1 parent dd803db
commit de97355
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md b/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md
@@ -111,9 +111,11 @@ For JSON, verify that the `Content-Type` header is `application/json` and not `t
 <span style="property : $varUnsafe">Oh no</span>
 ```
 
-If you're using JavaScript to change a CSS property, look into using `style.property = x`. This is a **Safe Sink** and will automatically CSS encode data in it.
+If you're using JavaScript to change a CSS property, look into using
+`style.property = x`.
+This is a **Safe Sink** and will automatically CSS encode data in it.
 
-// Add CSS Encoding Advice
+When inserting variables into CSS properties, ensure the data is properly encoded and sanitized to prevent injection attacks. Avoid placing variables directly into selectors or other CSS contexts.
 
 ### Output Encoding for “URL Contexts”