I haven't been able to find much about this topic so I thought I would ask. :)
Printable View
I haven't been able to find much about this topic so I thought I would ask. :)
Basically it's when any visitor to your site can add some content (be it a guest book, message board, wiki, whatever) and JavaScript in that content gets executed. It allows the user to pretend to be your site while doing something malicious. The end user, trusting your site, may for example write credit card information, and the attacker, through the injected script, can intercept this information.
To avoid it, you must make absolutely sure that you've properly validated and sanitized all user input.
How would you go about validating user input and striping out any potential malicious code?
Depends on what the user input is. The simplest form is to just push it through htmlentities().
A basic rule of thumb is to never directly reflect any input. Always process it first.
Thanks guys for your responses :) is there any code out there that you guys think is good for stripping out html and javascript?
You shouldn't try to strip out HTML and JS like that, it's too troublesome. Just use htmlentities() like CB suggested and angle brackets (among other things) will be converted to < and > so that they are not parsed as code.