You should refer to the excellent OWASP website for a summary of attacks (including XSS) and defenses against them. Here’s the simplest explanation I could come up with, which might actually be more readable than their web page (but probably nowhere nearly as complete). Specifying a charset. First of all, ensure that your web page … Read more
To make it safe to use you need to use htmlspecialchars(). <?php echo htmlspecialchars($_SERVER[“PHP_SELF”], ENT_QUOTES, “utf-8”); ?> See A XSS Vulnerability in Almost Every PHP Form I’ve Ever Written for how $_SERVER[“PHP_SELF”] can be attacked.
When it comes to database queries, always try and use prepared parameterised queries. The mysqli and PDO libraries support this. This is infinitely safer than using escaping functions such as mysql_real_escape_string. Yes, mysql_real_escape_string is effectively just a string escaping function. It is not a magic bullet. All it will do is escape dangerous characters in … Read more
The idea of a generic sanitation function is a broken concept. There is one right sanitation method for every purpose. Running them all indiscriminately on a string will often break it – escaping a piece of HTML code for a SQL query will break it for use in a web page, and vice versa. Sanitation … Read more
Escaping input is not the best you can do for successful XSS prevention. Also output must be escaped. If you use Smarty template engine, you may use |escape:’htmlall’ modifier to convert all sensitive characters to HTML entities (I use own |e modifier which is alias to the above). My approach to input/output security is: store … Read more
XSS JSF is designed to have builtin XSS prevention. You can safely redisplay all user-controlled input (request headers (including cookies!), request parameters (also the ones which are saved in DB!) and request bodies (uploaded text files, etc)) using any JSF component. <h:outputText value=”#{user.name}” /> <h:outputText value=”#{user.name}” escape=”true” /> <h:inputText value=”#{user.name}” /> etc… Note that when … Read more
XSS can be prevented in JSP by using JSTL <c:out> tag or fn:escapeXml() EL function when (re)displaying user-controlled input. This includes request parameters, headers, cookies, URL, body, etc. Anything which you extract from the request object. Also the user-controlled input from previous requests which is stored in a database needs to be escaped during redisplaying. … Read more
Basically you need to use the function htmlspecialchars() whenever you want to output something to the browser that came from the user input. The correct way to use this function is something like this: echo htmlspecialchars($string, ENT_QUOTES, ‘UTF-8’); Google Code University also has these very educational videos on Web Security: How To Break Web Software … Read more
It’s a common misconception that user input can be filtered. PHP even has a (now deprecated) “feature”, called magic-quotes, that builds on this idea. It’s nonsense. Forget about filtering (or cleaning, or whatever people call it). What you should do, to avoid problems, is quite simple: whenever you embed a a piece of data within … Read more
An XSS attack is one in which the page allows allows users to inject script blocks into the rendered HTML. So, first you must figure out how to do that. For instance, if the input from the user gets displayed on the page and it isn’t html escaped then a user could do the following: … Read more