By Harry Fuecks

Security: Preventing Cross-site Scripting

By Harry Fuecks
Last chance to win! You'll get a... FREE 6-Month Subscription to SitePoint Premium Plus you'll go in the draw to WIN a new Macbook SitePoint 2017 Survey Yes, let's Do this It only takes 5 min

Good article summarizing the dangers of Cross-Site Scripting and how to prevent them. Examples are in Perl but the basic message is never trust anything from the browser.

Where cross-site scripting is concerned, particular caution needs to be taken if you allow visitors to your site to add content to it or “echo back” values they’ve submitted (such as a word they’re searching for).

These days it’s better to use PHP libraries like PEAR::HTML_QuickForm or PEAR::Validate to prevent oversights when using regular expressions to validate incoming data.

When you need to allow visitors to add marked up content, the most effective approach is BBTags (common to vBulletin and phpBB) – PEAR::HTML_BBCodeParser can help. “One to watch” in that area is KSES which is an “HTML and XHTML filter”, if you want visitors to be able to use native tags.

Login or Create Account to Comment
Login Create Account
Get the most important and interesting stories in tech. Straight to your inbox, daily.Is it good?