XSS is a vulnerability of the application running on top of web-server
and browser, there's hardly a way to fix it on a web-server level. But
outdated web-server may have vulnerabilities of its own.
Of the ways you listed #1 without #2 usually doesn't work; OTOH #2 done
comprehensively (with some library) usually helps. But it has nothing to
do with Apache.
--
With Best Regards,
Marat Khalili
On 02/05/17 06:24, Hagan, Mark wrote:
Hello All,
Looking for some help to determine if I can configure Apache 2.0.59 to
address a couple Cross Site Scripting (XSS) vulnerabilities. I'm not
able to upgrade to a later version, so I'm trying to understand if
there is functionality within this version to address the XSS issue.
I have 2 specific issues:
1. Validating input (whitelisting acceptable characters)
2. Sanitizing or encoding output (For instance, the character < would
be encoded as < which would be displayed by the browser as the
“less-than” character instead of being interpreted as the start
of an HTML tag.)
I am not an experienced apache administrator, so any help would be
most appreciated.
Thanks.
