Web appli­ca­tions (such as SIF Agents and Zone Inte­gra­tion Servers) that send and receive data have the poten­tial for being attacked using a method called cross-site script­ing(or XSS). XSS enables its attack­ers to embed scripts into the receive pages of the web appli­ca­tion and caus­es unwant­ed actions to occur in the send­ing appli­ca­tion (or com­put­er). In the recent past, these breach­es account­ed for more than 80% of all secu­ri­ty vulnerabilities.

To avoid such attacks, send­ing appli­ca­tions (SIF Agents in our case) should fol­low these guide­lines when prepar­ing the data to be sent in their POST strings:

• Make sure that the XML mes­sage is HTML encod­ed (this will make replace­ments such as chang­ing "< " to "&lt;", etc.) — most pro­gram­ming envi­ron­ments have built-in libraries for mak­ing this sim­ple. In .NET, the Htm­lEn­code method and HttpServerUtil­i­ty class­es per­form this functionality.
• Make sure that any URLs in ele­ments in the mes­sage are URL encod­ed (these might appear in SchoolIn­fo in the School's Web­site URL Ele­ment or in the Stu­dent­Pic­ture object) — In .NET, the UrlEn­code method of the HttpUtil­i­ty and HttpServerUtil­i­ty class­es per­form this functionality.
• If any ele­ment con­tains HTML (such as in a descrip­tion), make sure that they do not include any­thing that is valid in an XML statement.

In Microsoft .NET 4.0 (which the ZIS uses), Microsoft added a lay­er of pro­tec­tion which guards against XSS attacks. After IIS receives an incom­ing mes­sage and before .NET process­es an application's Begin­Re­quest event, it checks for any of the signs that would indi­cate a cross-site script­ing attack. If it finds any, it logs an event in the sys­tem error log and dis­cards the message.

From the ZIS's per­spec­tive, it nev­er receives the inbound message.