All geek questions in one place

XSS Attack Prevention

I found a “database” of many XSS attacks , and although this list contains a fairly large list of attacks, are there any other attacks that do not fall into XML, what should I look for most unexpectedly?

+3
source share
3 answers

I used HTML Purifier to allow users to enter only special, safe, HTML comments in text fields. This is a very good job and has very good documentation.

For everything else, like a simple text field or a selection window, when I write a value to a page, I always run it through htmlentities():

htmlentities ($_POST['email'], ENT_QUOTES);

As long as all user data is always written to the page using htmlentities(), you should never have a problem with XSS.

+4
source

Not sure what exactly you are looking for, but if you want to prevent XSS attacks on your site, I would say that don't allow HTML at all. If you want to enable HTML, see how StackOverflow does it.

You can find a few things that another site has missed here .

+3
source

, XSS. . .

You can use many cleaning tools to remove potential malicious data, for example:

for asp.net Microsoft Anti-XSS library, HTML Agility Pack from code.

for PHP you can use HTMLPurifier. This is a very good and convenient tool.

+2
source

Source: https://habr.com/ru/post/1711892/

More articles:


All Articles