What is cross-site scripting and how to avoid it?

**zalez** · Sep 21st, 2006, 07:05 PM

I haven't been able to find much about this topic so I thought I would ask.

**CornedBee** · Sep 21st, 2006, 07:36 PM

Basically it's when any visitor to your site can add some content (be it a guest book, message board, wiki, whatever) and JavaScript in that content gets executed. It allows the user to pretend to be your site while doing something malicious. The end user, trusting your site, may for example write credit card information, and the attacker, through the injected script, can intercept this information.

To avoid it, you must make absolutely sure that you've properly validated and sanitized all user input.

**zalez** · Sep 21st, 2006, 08:06 PM

How would you go about validating user input and striping out any potential malicious code?

**CornedBee** · Sep 21st, 2006, 08:25 PM

Depends on what the user input is. The simplest form is to just push it through htmlentities().

**penagate** · Sep 22nd, 2006, 01:53 AM

A basic rule of thumb is to never directly reflect any input. Always process it first.

**zalez** · Sep 23rd, 2006, 12:47 AM

Thanks guys for your responses

is there any code out there that you guys think is good for stripping out html and javascript?

**penagate** · Sep 23rd, 2006, 03:23 AM

You shouldn't try to strip out HTML and JS like that, it's too troublesome. Just use htmlentities() like CB suggested and angle brackets (among other things) will be converted to < and > so that they are not parsed as code.

Thread: What is cross-site scripting and how to avoid it?

Thread Tools

Display

What is cross-site scripting and how to avoid it?

Re: What is cross-site scripting and how to avoid it?

Re: What is cross-site scripting and how to avoid it?

Re: What is cross-site scripting and how to avoid it?

Re: What is cross-site scripting and how to avoid it?

Re: What is cross-site scripting and how to avoid it?

Re: What is cross-site scripting and how to avoid it?

Posting Permissions