Security: Preventing Cross-site Scripting

Good article summarizing the dangers of Cross-Site Scripting and how to prevent them. Examples are in Perl but the basic message is never trust anything from the browser.

Where cross-site scripting is concerned, particular caution needs to be taken if you allow visitors to your site to add content to it or “echo back” values they’ve submitted (such as a word they’re searching for).

These days it’s better to use PHP libraries like PEAR::HTML_QuickForm or PEAR::Validate to prevent oversights when using regular expressions to validate incoming data.

--ADVERTISEMENT--

When you need to allow visitors to add marked up content, the most effective approach is BBTags (common to vBulletin and phpBB) – PEAR::HTML_BBCodeParser can help. “One to watch” in that area is KSES which is an “HTML and XHTML filter”, if you want visitors to be able to use native tags.