how to avoid cross-site scripting (xss)

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications that enables malicious attackers to inject client-side script into web pages viewed by other users.

Let me do an example:

<form method=”post” action=”” >
<input type=”text” name=”q” value=”<?=$_POST[‘q’]?>” />
<input type=”submit” value=”Search”>
</form><br/><br/>
<?php
if(!empty($_POST[‘q’]))
echo ” No result for <b>”.$_POST[‘q’].”</b>!”;
?>

if you try to insert in the search form the following “word”:

<script>alert(0);</script>
the system will show you the alert with written ‘0’. If you want to avoid this, you just simply use the php function htmlentities, that convert all applicable characters to HTML entities.
So the modified code will be:
<form method=”post” action=”” >
<input type=”text” name=”q” value=”<?=$_POST[‘q’]?>” />
<input type=”submit” value=”Search”>
</form><br/><br/>
<?php
if(!empty($_POST[‘q’]))
echo ” No result for <b>”.htmlentities($_POST[‘q’]).”</b>!”;
?>
In this way we will see the result as should be.
Advertisements

One Response to how to avoid cross-site scripting (xss)

  1. salvo says:

    Very interesting topic!

    ciao
    salvo

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: