Menu
so I have a site where users can register using a username of their choosing and can submit large blocks of text and add comments. Currently, to avert XSS, I use strip_tags on the data on input to the database and I only output the data in the body, rather than in an attribute. I'm currently making changes to the site, one of which is to make a user page which is loaded when someone clicks on the username (a link). This would look like:
<a href="example.com/user/<?php echo $username; ?>">...</a>
I'm worried that for the $username variable, someone could insert
<a href="example.com/user/user" onClick="javascript:alert('XSS');">...</a>
I've read a bunch of the other SO posts on this, but none gave a black-and-white answer. If I use the following on all text on output, in addition to strip_tags on input:
echo htmlspecialchars($string, ENT_QUOTES, 'UTF-8');
is that going to be enough to stop all XSS attacks, including those using the inline javascript: syntax?
Also, is there any way to remove actual html tags without removing things like "Me > you"?
Thanks!
230
To prevent XSS attacks, your application must validate all the input data, make sure that only the allowlisted data is allowed, and ensure that all variable output in a page is encoded before it is returned to the user.
Cross-site scripting (XSS) is a type of injection attack in which a threat actor inserts data, such as a malicious script, into content from trusted websites. The malicious code is then included with dynamic content delivered to a victim's browser. XSS is one of the most common cyber attack types.
Encoding is probably the most important line of XSS defense, but it is not sufficient to prevent XSS vulnerabilities in every context. You should also validate input as strictly as possible at the point when it is first received from a user.
Protection is available for file sharing and messaging software such as Skype, but also web applications with vulnerabilities such as SQL injection and cross-site scripting (XSS). In this way, IPS can also be used as a lightweight web application firewall (WAF).
According to the PHP5 Certification Study guide, there are two golden rules about security:
At the moment you are only looking at one side of the problem.
But I would prefer htmlentities.
107
Escaping depends on the context. If it's a URL, use URL encoding (%xx), but also check that the full URL does not start with "javascript:". Your syntax for the onclick-attribute is not required. Onclick is a javascript event handler, so any javascript inside it will run.
See the OWASP XSS Prevention Cheat sheet to see how to escape for different contexts.
33
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
