All geek questions in one place

Best way to prevent xss attack

Which of the two ways is best to prevent an xss attack?

  • HTMLEntities when saving to db
  • HTMLEntities on display / echo

I think the first is better because you may forget to add this when showing.

+3
source share
4 answers

which of these two ways best prevents the xss attack.

  • HTMLEntities when saving to db
  • HTMLEntities on display / echo

2 - you must convert to the target format at the last moment. This will save you from problems in the future if, for example, you decide that you want to use the same content in an email, in PDF format, as text for the user to edit, etc. Etc.

I find the first one better, because you may forget to add this when displaying

You can forget when pasting into a database.

In addition, not all data enters the database. for example, Previewing data to be inserted or data returned to the form due to errors are both possible XSS vectors. You do not want to deal with such things as "Encoding before entering into the database or re-reflection in the document if it was not from the database." Exceptions are the best way to get into a situation when you forget to code.

+6
source

The best way (option number 3 ..), if you ask me, uses the latest filter extension to handle filtering for you (PHP5). I like to put filter_input_array at the top of my php file to protect myself from, for example, XSS POST attacks

$_POST = filter_input_array(INPUT_POST, FILTER_SANITIZE_STRING);

You should read the film documentation (tutorials) and protect yourself from XSS for input.

+1
source

Reasons for encoding in the displayed code (i.e. after reading text from the database):

  • The database can be viewed in a graphical interface other than HTML, which requires modification. Modification of general-purpose database administration tools to automatically decode specific text (in which encoding?) For one application is neither feasible nor desirable.
  • Incorrect HTML coding means that you need to trust the database to be safe. If there is ever a vulnerability - directly in the database or in another web application, your application will also become vulnerable.
  • Storing encoded HTML in a database prevents searching; you cannot directly use special search libraries such as Lucene. In addition, since html coding cannot be bijective, full-text search must either work with a decoded copy of the database, or decode all the records in the database, which leads to O (database size) performance.
  • Future coding transitions are also easier if the entire coding code is concentrated in the displayed code.
  • Encoding increases storage space

I can not think of any reasons for coding when writing. You mentioned that you can forget to encode data in the display logic, but I would say that you are equally likely to forget about it in the database repository.

0
source

strip_tags() and htmlentities() would be strip_tags() before storing in db (unless you mind some extra data bits).

However, make sure that you also take other precautions to protect against SQL injection using mysql_real_escape_string() or a prepared level of data access abstraction, such as PDO.

-1
source

Source: https://habr.com/ru/post/1369677/

More articles:


All Articles