By Harry Fuecks

Security: Preventing Cross-site Scripting

By Harry Fuecks

Good article summarizing the dangers of Cross-Site Scripting and how to prevent them. Examples are in Perl but the basic message is never trust anything from the browser.

Where cross-site scripting is concerned, particular caution needs to be taken if you allow visitors to your site to add content to it or “echo back” values they’ve submitted (such as a word they’re searching for).

These days it’s better to use PHP libraries like PEAR::HTML_QuickForm or PEAR::Validate to prevent oversights when using regular expressions to validate incoming data.

When you need to allow visitors to add marked up content, the most effective approach is BBTags (common to vBulletin and phpBB) – PEAR::HTML_BBCodeParser can help. “One to watch” in that area is KSES which is an “HTML and XHTML filter”, if you want visitors to be able to use native tags.

  • php fan
  • Good tip offs.

    Couple more:

    OWASP – – tons of good tips on potential vulns. Mainly Java / .NET focused right now – would be great to see someone fill in the blanks for PHP, in their security guide.

    Also worth a read is the OWASP Top 10 in PHP terms:

  • [quote=HarryF]never trust anything from the browser[/quote]
    You mean never trust any clients input, it does not necessarily have to be a browser.

  • never trust anything from the browser You mean never trust any clients input, it does not necessarily have to be a browser.

    Very true. At the same time, I’ve sometimes seen website security being built around things like the HTTP_REFERRER, which comes from the browser and can be “spoofed”. It’s not exactly client input normally but still should not be trusted.

    Bottom line: be paranoid ;)

  • Anonymous


Get the latest in Front-end, once a week, for free.