I don’t have an answer specifically to your question, but I would like to point out that the white list vs black list approach not just “nice”. It’s important. Very important. When it comes to security, every little thing is important. Remember that with cross-site scripting and cross-site request forgery , even if your site … Read more
htmlspecialchars() will NOT protect you against UTF-7 XSS exploits, that still plague Internet Explorer, even in IE 9: http://securethoughts.com/2009/05/exploiting-ie8-utf-7-xss-vulnerability-using-local-redirection/ For instance: <?php $_GET[‘password’] = ‘asdf&ddddd”fancy˝quotes˝’; echo htmlspecialchars($_GET[‘password’], ENT_COMPAT | ENT_HTML401, ‘UTF-8’) . “\n”; // Output: asdf&ddddd"fancyË echo htmlentities($_GET[‘password’], ENT_COMPAT | ENT_HTML401, ‘UTF-8’) . “\n”; // Output: asdf&ddddd"fancyËquotes You should always use htmlentities and very rarely … Read more
For people who still want an even more permissive posts, because the other answers were just not permissive enough, and they must work with google chrome for which * is just not enough: default-src * data: blob: filesystem: about: ws: wss: ‘unsafe-inline’ ‘unsafe-eval’ ‘unsafe-dynamic’; script-src * data: blob: ‘unsafe-inline’ ‘unsafe-eval’; connect-src * data: blob: ‘unsafe-inline’; … Read more
First of all, the textattribute of the HTMLScriptElement is the preferred method to access the text of an inline <script> element. DOM-Level-2 and HTML5: 4.11.1 both indicate that a script should have an attribute text which contains the scripts interior text: The IDL attribute text must return a concatenation of the contents of all the … Read more
X-XSS-Protection is a HTTP header understood by Internet Explorer 8 (and newer versions). This header lets domains toggle on and off the “XSS Filter” of IE8, which prevents some categories of XSS attacks. IE8 has the filter activated by default, but servers can switch if off by setting X-XSS-Protection: 0 See also http://blogs.msdn.com/b/ieinternals/archive/2011/01/31/controlling-the-internet-explorer-xss-filter-with-the-x-xss-protection-http-header.aspx
Simple way? Use strip_tags(): $str = strip_tags($input); You can also use filter_var() for that: $str = filter_var($input, FILTER_SANITIZE_STRING); The advantage of filter_var() is that you can control the behaviour by, for example, stripping or encoding low and high characters. Here is a list of sanitizing filters.
httpOnly is supported as of Tomcat 6.0.19 and Tomcat 5.5.28. See the changelog entry for bug 44382. The last comment for bug 44382 states, “this has been applied to 5.5.x and will be included in 5.5.28 onwards.” However, it does not appear that 5.5.28 has been released. The httpOnly functionality can be enabled for all … Read more
XSS is not a feature that can be enabled in jQuery. It would be very very unusual if the jQuery core had an XSS vulnerability, but it is possible and its called DOM-based XSS. “Cross-Origin Resource Sharing” or CORS isn’t the same as XSS, BUT, but if a web application had an XSS vulnerability, then … Read more
I strongly disagree it’s “academically better”. It breaks user input (imagine how useless StackOverflow would be for this discussion if they “cleaned” posts from all tags). Text inserted in HTML with only tags stripped will be invalid. HTML requires & to be escaped as well. It’s not even safe in HTML! strip_tags() is not enough … Read more
Unfortunately, almost no one of the participants ever clearly understands what are they talking about. Literally. Only Kibbee managed to make it straight. This topic is all about sanitization. But the truth is, such a thing like wide-termed “general purpose sanitization” everyone is so eager to talk about is just doesn’t exist. There are a … Read more