How can I prevent an XSS attack that places a <script> element in the query string? [duplicate]
Possible Duplicate:
What are the best practices for avoid xss attacks in a PHP site
For example:
http://www.mid-day.com/searchresult.php?query=%3Cscript%3Ealert%28%22This%20is%20vulnerable%20for%20XSS%20..%20by%20binny%22%29%3C/script%3E
This website has an XSS DOM based vulnerability I want to know what causes this vulnerability and how to prevent it?
You should always HTML encode values that come from the user like querystring parameters before outputting them. You could use the htmlentities function.
Instead of:
$str = $_GET['a'];
echo $str;
use:
$str = $_GET['a'];
echo htmlentities($str);
You should never echo directly what is in a $_REQUEST, $_POST, $_GET, or $_SERVER variables.
If you have something like this:
index.php?text=hai
and you say:
echo $_GET['text']
It isn't safe. If you put scripts in there or something:
index.php?text=<script>alert(document.cookie);</script>
It will display the document cookie. Not realy safe.
Same is with $_REQUEST and $_POST when you submit something. And with $_SERVER['THIS_URI']...
index.php?url=<script><!-- something --></script>
and you do
<form action="<?php echo $_SERVER['THIS_URI']; ?>"> then you get an XSS hack too.
Allways use htmlentities($string) and in MySQL queries mysql_real_escape_string($string).
Greetings.
You can go for HTML Purifier:
HTML Purifier is a standards-compliant HTML filter library written in PHP. HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited,
secure yet permissive whitelist, it will also make sure your documents are standards compliant, something only achievable with a comprehensive knowledge of W3C's specifications.
Built-in PHP functions do not respond to all sorts of attacks, a reason why such open source solution was needed.
I would also suggest you to take a look at:
- PHP Security Guide
加载中,请稍侯......
精彩评论