Avoid XSS Vulnerabilities - Whitelist?

Question

Avoid XSS Vulnerabilities - Whitelist?

What are the best methods to prevent XSS vulnerabilities?

Many people mention whitelists, which sound like a good idea, but I see that many people define whitelists using RegEx. This is inherently erroneous because it depends on many factors, the least of which is the implementation of RegEx and the ability of the person expressing the expression to not make a mistake. Consequently, many XSS attacks succeed because they use methods to force the regular expression to accept them .

What are the best (although maybe more time consuming than whitelisting) ways to avoid these vulnerabilities / misinform user input? Is it even theoretically possible to completely misinform user input?

+3

security c # xss

ดาว 18 sept. '09 at 4:03

source share

3 answers

AntiXSS .

+4

Dmytrii Nagirniak 18 . '09 4:14

, HTML, . , , HTML, , <em> HTML.

HTML, / , , XSS, HTMLPurifier: http://htmlpurifier.org/

, . XSS.

+2

Mark E. Haase 11 . '10 21:38

rook · Accepted Answer · 2009-10-03T08:57:03+0000

The best way to filter XSS depends on which platform you are running on. Regular expressions can be useful in preventing many types of vulnerabilities, but this is not always the best. The best way to prevent XSS in PHP is to use htmlspeicalchars();For example:

Reflective XSS:

print $_GET['xss'];

Corrected:

print htmlspecialchars($_GET['xss'],ENT_QUOTES);

To test this, we can try and execute some JavaScript. http://127.0.0.1/xss.php?xss=<script>alert(/xss/)</script> In the first example, we get a pop-up saying / xss /. The corrected example will display a safe version of the html string: <script> warning (/ XSS /) </script>

, < > , < > , XSS.

Avoid XSS Vulnerabilities - Whitelist?

More articles: