Preventing XSS

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. (WikiPedia)

I saw, discovered, and patched many XSS vulnerabilities for a long time. For today, I will teach you the two basic methods on preventing them. The first one is very very simple. XSS mainly depends on the user input, so the idea is, do not ouput any user input at all! This was quite a small but efficient fix.

The second one is used if the page “should” output a user input. An example is a search query, or login form(username). So what to do? You should use htmlentities().

This will re-encode the input text making it invalid for the browser to recognize the input as a html tag. It’s also simple, but the key is, you should use htmlentities right before you output the string. This might cause a problem with usernames and passwords, so be sure to use them correctly!



~ by itsrui on March 25, 2009.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: