0

I am from reading about XSS and I'm afraid about (malicious) people inputting HTML codes into my form fields eg JavaScript through the <script> </script> tags. How can i go about this to prevent XSS, or to prevent users from inputting HTML code in my input fields? Sorry if it looks simple.

gthuo
  • 2,376
  • 5
  • 23
  • 30
  • http://stackoverflow.com/questions/71328/what-are-the-best-practices-for-avoiding-xss-attacks-in-a-php-site – jcho360 Jul 26 '13 at 12:58

2 Answers2

0

You cannot prevent users from inputting this text, but you should deal the situation that they do. In case the text of the form fields is sent to the server, assume a user generates the http request with a script or other tool, and not in a browser at all. All user input should be validated on the server. However, in many cases, it is helpful for the non malicious users if you have some validation in the browser already. But this is just nice to the user and not a security measure.

FrankPl
  • 13,205
  • 2
  • 14
  • 40
  • so which are some of the ways i can deal with it on the server? – gthuo Jul 26 '13 at 14:06
  • This very much depends on what you do with the data. If using the data in a database query, use prepared statements. Do not send it back to the client without properly escaping it or removing all script code/html tags/... whatever might be harmful. – FrankPl Jul 26 '13 at 14:12
  • @FrankPI thanks. I already use prepared statements, so i can start using the PHP function `strip_tags()`. that should help to remove all the malicious tags, esp the script and anchor tags. – gthuo Jul 27 '13 at 09:01
0

if you are using PHP then use htmlentities($input_data) or htmlspecialchars($input_data) functions to bypass HTML tags and prevent executing.

shyammakwana.me
  • 5,562
  • 2
  • 29
  • 50