Which two measures are most effective in protecting websites from cross site scripting
(XSS) attacks?
A.
Execute all user-supplied scripts in a server-side sandbox.
B.
Escape “<” and “>” parameters that displayed or evaluated by the JavaScript interpreter.
C.
URL-encode “<” and “>”parameters so they will never be evaluated by the JavaScript
Interpreter.
D.
Ensure that the session cookie is sent only on UTTPS connections.
E.
Treat all user-supplied input as unsafe, and white list known good characters
BE is correct answer
Ref : https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
D is wrong because HTTPS can prevent a man-in-the-middle attack, not XSS.