All geek questions in one place

PHP XSS Question / Clarification

This was asked earlier, but I need 100% clarity on this issue, since it is very important for me that everything is correct.

Situation: The message system on the website. The user enters a message into the text field, he passes the form and is entered into the database. This data can then be called from the database and displayed in <span> tags to another user.

What security measures should I take to prevent the spread of this data? I already use mysql_real_escape_string to stop any injection, and strip_tags seems useful, but I heard many other names. What should I use to protect this data, given that it only appears in <span> tags?

Thanks.

+6
source share
3 answers

The misconception is that you want to avoid typing, which is wrong. You must filter the output (and the database is also the result).

This means that when you mysql_real_escape_string() form, you use mysql_real_escape_string() to send (output) data to the database, and you use htmlspecialchars() to display the contents on the screen. The same principle applies to regular expressions in which you would use preg_quote() , etc.

No matter where the data comes from, you should avoid it in the context of where you send it.

So, to prevent XSS attacks, you should use htmlspecialchars() / htmlentities() . mysql_real_escape_string has nothing to do with XSS (but you should still use it when sending data to the database).

+3
source

Use htmlspecialchars when outputting to an HTML page. It will display the data in the same way that the user entered it (so that users can use something like <3 in their messages without removing the rest)

+3
source

Please check out Cheat Sheet OWASP XSS. He will explain how to avoid XSS for different contexts. Htmlentities should do the work between tags.

0
source

Source: https://habr.com/ru/post/896509/

More articles:


All Articles