I have windows form (C#) where you can give feedback and site owner can check it on websites but i dont good with php so i want make block instantly to windows forms so does this code stop it:
Regex.Replace(p.Message, @"<[^>]*>", String.Empty)
Asked
Active
Viewed 155 times
0
John Saunders
- 160,644
- 26
- 247
- 397
user3249998
- 3
- 3
-
1No. There are AntiXSS libraries out there, you ought to look into them. If you can make changes to the PHP code, here's a Stack Overflow question with an AntiXSS library for PHP: http://stackoverflow.com/questions/3974221/is-there-a-definitive-anti-xss-library-for-php If you can't, I don't really recommend mucking with the input, but if it's what you have to do, you could see if a .NET Anti-XSS library would help you there (maybe run it through the library and store that). – George Stocker Feb 02 '14 at 16:22
-
1Is the feedback sent to the server in a secure manner? Else a malicious user could just send some XSS-code directly to your server and bypass the safety features in your application. It would be a lot better if you did it in your php-script. – Karl-Johan Sjögren Feb 02 '14 at 16:53
-
It should be up to the website to encode the displayed text when output in HTML rather than being stored in HTML format. What if you later needed to output the text in a JSON response? This would need different encoding to make it secure. My tip is to store everything unencoded, then encode as necessary per output context. – SilverlightFox Feb 03 '14 at 14:29