I've been working on a website (lualessons.x10host.com) and I've been told my website can easily be injected by Cross-Site scripting. Is there a good way to fix this? Thank you in advance.
Asked
Active
Viewed 48 times
-2
-
3http://stackoverflow.com/questions/1996122/how-to-prevent-xss-with-html-php – Alex Dec 16 '15 at 19:10
1 Answers
0
Do you know how XSS works?
If not here's a simple explanation on basic XSS: If you get inputs from users in "type=text" input fields on forms, the user can write javascript like code in it (on your side i could write in the "Username" field something like <script type="text/javascript">alert("hello")</script>). As the username is mostly displayed, this code would be written to the database and afterwards back in the html when someone logs in or visits my Profile. Then this javascript code would be excuted. In this case its just a simple alert so it wouldnt harm anything but I think you get concept now.
To provide protection against that I would use htmlentities($your_string)
in PHP.
So if you get your values via post or get, make sure you convert them to "friendly" values e.g.
<?php
if(isset($_POST["your_name_tag_from_html"])){
$friendlyvalue = htmlentities($_POST["your_name_tag_from_html"]);
}
// do something with $friendlyvalue
?>
I hope this helped you :)
François
- 26
- 3
-
Sorry for the late answer, but... Yes, I know what XSS is. Your answer helped, though, so accepted. One more, question, does htmlenteties() cancel out characters like [] as well as <>, for I'd like to include some bbcode elements. – Alex Groves Dec 16 '15 at 20:05
-
Hi Alex bbcode works with php see result in db (first bbcode then html): [center]zentriert[/center] <center>zentriert</center> – François Dec 16 '15 at 21:19