Step 1: User Exit Logout
If you want to include data on a page provided by users, exit the exit. And in this simplified list we were going to stick to one simple escape operation: HTML encode any <,>, &, ', ". For example, PHP provides the htmlspecialchars () function to perform this general task.
Step 2: Always Use XHTML
Read the OSSASs XSS prevention strategies, and it becomes obvious that injection protection is much more difficult if you use incorrect attributes in your HTML. On the contrary, in the cited attributes, data shielding becomes the same process that is necessary in order to avoid data for the contents inside the tags, the evacuation operation that we mentioned above. This is because the only violator of the situation from the point of view of theft in structurally significant content in the context of the quoted attribute is a closing quote.
Obviously, your markup does not have to be XHTML to contain the specified attributes. However, shooting and validating with XHTML makes it easy to verify that all attributes are specified.
Step 3: Allow Alphanumeric Data Values ββin CSS and JavaScript
We need to limit the data that you allow users to display in the CSS and Javascript sections of the page in alphanumeric (for example, as regular expressions such as [a-zA-Z0-9] +), and make sure that they are used in a context in which they truly represent value. In Javascript, this means that user data should only be displayed in quoted strings assigned to variables (for example, var userId = "ALPHANUMERIC_USER_ID_HERE" ;.) In CSS, this means that user data should be displayed only in context for the property value (for example, p { color: #ALPHANUMERIC_USER_COLOR_HERE;}.) This may seem draconian, but hey, this should be a simple XSS tutorial
Now, to be clear, you should always check user data to make sure that it meets your expectations, even for data that is displayed in tags or attributes, as in the previous examples. However, this is especially important for areas of CSS and JavaScript, since the complexity of the possible data structures makes it extremely difficult to prevent XSS attacks.
The general data that users may require to provide your JavaScript, such as Facebook, Youtube, and Twitter ID, may be used when using this restriction. Also, CSS color attributes and other styles can be integrated.
Step 4: URL Query Query String Parameters
If user data is displayed in the URL parameter of the link request string, make sure that it encodes the URLs. Again, using PHP as an example, you can simply use the urlencode () function. Now let's clarify this and look at a couple of examples, as I have seen a lot of confusion regarding this particular point.
URL coding required
The following example displays user data that must be encoded in a URL because it is used as a value in the query string.
http://site.com?id=USER_DATA_HERE_MUST_BE_URL_ENCODED ">
No need to url-encode
The following example displays the data provided by the user for the entire URL. In this case, the user data should be escaped with the standard escape function (HTML encode any <,>, &, ', ") and not the URL encoding. The URL encoding in this example will result in invalid links.