All geek questions in one place

How to prevent an XSS attack using a Zend form using%

Our company has made a website for our client. The client hired a website security company to check the pages for security before launching the product.

We have removed most of our problems with XSS. We created a site with zend. We add the StripTags, StringTrim and HtmlEntities filters to the elements of the order form.

They performed another test, and still failed :(

They used the following for a single input field in the http header data: name=%3Cscript%3Ealert%28123%29%3C%2Fscript%3Ewhich basically converts toname=<script>alert(123);</script>

I added alpha and alnum to some fields that fix the XSS (touch wood) vulnerability by removing%, but now the boss doesn't like it, because as for O'Brien and double-barrel surnames ...

I did not come across% 3C as a <problem reading XSS. Is there something wrong with my character set or html encoding, or something like that?

I probably now need to write a custom filter, but it will be a huge pain to do this with every site and deployment. Please help, this is really frustrating.

EDIT: if this is due to exit form, how to do it? The form is sent to the same page - how can I escape if I have only in my opinion<?= $this->form ?>

How can I get a Zend Form to exit it?

+3
source share
2 answers

%3Cscript%3Ealert%28123%29%3C%2Fscript%3E - URL- <script>alert(123);</script>. , < , %3C. PHP <, - .

, , ; %3C , <. , XSS.

XSS. zend. StripTags, StringTrim HtmlEntities .

, XSS. , .

- , XSS.

. , , O'Brien. <script>, . HTML-, , , HTML-? , , 'Fish&amp;Chips', HTML- HTML.

HTML- . , (, , , SQL-escape- , ). HTML, :

Name: <?php echo htmlspecialchars($row['name']); ?>

echo "Name: $name";, , , .

: h, htmlspecialchars . htmlentities, - -ASCII-, , $charset.

(, Zend_View, $this->escape().)

, , , , , . , , , , - HTML, SQL, JavaScript , .

+14

, HTML-, .

%3C - URL- <; .

+2

Source: https://habr.com/ru/post/1761917/

More articles:


All Articles