1

Possible Duplicate:
What are the best practices for avoiding xss attacks in a PHP site
Examples of XSS that I can use to test my page input?

What are examples/types of client side xss attacks in php and how can I prevent them?

Community
  • 1
  • 1
rjmcb
  • 3,595
  • 9
  • 32
  • 46
  • 6
    See: [Examples of XSS that I can use to test my page input?](http://stackoverflow.com/questions/7232405/examples-of-xss-that-i-can-use-to-test-my-page-input), [What are the best practices for avoiding xss attacks in a PHP site](http://stackoverflow.com/questions/71328/what-are-the-best-practices-for-avoiding-xss-attacks-in-a-php-site), [How XSS attack really works?](http://stackoverflow.com/questions/3364427/how-xss-attack-really-works), http://stackoverflow.com/search?q=xss+php... – Wesley Murch Feb 22 '12 at 07:03
  • https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet – Cheekysoft Feb 22 '12 at 14:33

1 Answers1

0

  1. Plain text as HTML. When you forgot to escape plain text with htmlspecialchars. No prevention needed: just escape your variables when you use PHP in templates. Or use smarty/twig/etc.

  2. HTML as HTML: when you allow users to create HTML(fckeditor/tinymce/plain HTML/etc). Use HTML sanitizer.

  3. BB codes to HTML conversion. Do not use own regex-based parser, use only FSM-parsers.

Dmitry
  • 7,457
  • 12
  • 57
  • 83