The following answer maybe wrong. May I ask some help here?
Which two measures are most effective in protecting websites from cross site scripting (XSS)
C. Ensure that the session cookie is sent only on UTTPS connections.
D. Treat all user-supplied input as unsafe, and white list known good characters
E. Execute all user-supplied scripts in a server-side sandbox.
I think DE is more correctly. AB is right, but not enough.