Security: Preventing Cross-site Scripting

Good article summarizing the dangers of Cross-Site Scripting and how to prevent them. Examples are in Perl but the basic message is never trust anything from the browser.

Where cross-site scripting is concerned, particular caution needs to be taken if you allow visitors to your site to add content to it or “echo back” values they’ve submitted (such as a word they’re searching for).

These days it’s better to use PHP libraries like PEAR::HTML_QuickForm or PEAR::Validate to prevent oversights when using regular expressions to validate incoming data.

When you need to allow visitors to add marked up content, the most effective approach is BBTags (common to vBulletin and phpBB) – PEAR::HTML_BBCodeParser can help. “One to watch” in that area is KSES which is an “HTML and XHTML filter”, if you want visitors to be able to use native tags.

Free book: Jump Start HTML5 Basics

Grab a free copy of one our latest ebooks! Packed with hints and tips on HTML5's most powerful new features.

  • php fan
  • http://www.phppatterns.com HarryF

    Good tip offs.

    Couple more:

    OWASP – http://www.owasp.org/ – tons of good tips on potential vulns. Mainly Java / .NET focused right now – would be great to see someone fill in the blanks for PHP, in their security guide.

    Also worth a read is the OWASP Top 10 in PHP terms: http://www.sklar.com/page/article/owasp-top-ten

  • http://www.ajohnstone.com Andrew-J2000

    [quote=HarryF]never trust anything from the browser[/quote]
    You mean never trust any clients input, it does not necessarily have to be a browser.

  • http://www.phppatterns.com HarryF

    never trust anything from the browser You mean never trust any clients input, it does not necessarily have to be a browser.

    Very true. At the same time, I’ve sometimes seen website security being built around things like the HTTP_REFERRER, which comes from the browser and can be “spoofed”. It’s not exactly client input normally but still should not be trusted.

    Bottom line: be paranoid ;)

  • Anonymous

    ;!–“=