Menu
I was wondering if checking for and removing "<script" from text entry fields would be enough to stop javascript code injection attacks?
390
Encoding is probably the most important line of XSS defense, but it is not sufficient to prevent XSS vulnerabilities in every context. You should also validate input as strictly as possible at the point when it is first received from a user.
htmlentities vs htmlspecialcharsBoth will prevent XSS attacks. The difference is in the characters each encodes.
A Content Security Policy (CSP) helps to ensure any content loaded in the page is trusted by the site owner. CSPs mitigate cross-site scripting (XSS) attacks because they can block unsafe scripts injected by attackers. However, the CSP can easily be bypassed if it is not strict enough.
No, blocking specific cases is not enough - sooner or later, someone will come up with a contrived case you didn't think of.
See this list of XSS attacks for the most common ones (other, still more exotic, may exist). You need to whitelist the allowed syntax instead of assuming that everything beside the known vectors should be OK.
120
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
