Title: Cross-Site Scripting (XSS) Prevention Basics
Author: LeeDavis
Category: CODING
Published: 2017-02-26 15:49:29
Clicks: 51

Web applications are the most frequently targeted for attack from this vector. WIth browser security breaches, attackers are able to inject client-side coding into those vulnerable pages and affect other machines that come in contact with that page. Dangerous indeed. When to use anti-xss methods? Anytime you're outputting something users can tamper with, any attacker can use html characters to add an invisible iframe to the page like;

script type= text/javascript @l3rt('I0wn3dU!!'); /script

Generally, JavaScript is the most utilized of the client-side scripts in this area. Things like URL redirections, "cookiejacking", "clickjacking, or perform unauthorized actions that result in site damage and/or database destruction. Let's say a link was submitted in the above situation and the end result was an attackers' page for more mayhem. Using htmlspecialchars() or htmlentities() you preventing these characters from doing what the attacker intended. The above iframe code would no longer work and would be then displayed as plain text if at all.

//changing html characters using htmlspecialchars()
//$_POST['link'] = test
$link = htmlspecialchars($_POST['link'], ENT_QUOTES);
echo $link;
?>

MUCH safer way to do business for your web application as you've escaped the HTML character into their HTML character entities. These being listed below as;

& = &
< = <
> = >
" = "
' = ' (' is not to be used)
/ = / (forward slash used to end an HTML entity)