CODEWITHSUNDEEP
javascriptxss
KacperM
KacperM

Reputation: 109

Is it enough to avoid xss?

When user put <script>alert('Hello');</script> on my site ie on comments section its translated: <script>alert('Hello');</script> is it enough to avoid xss attack on my site?

Upvotes: 1

Views: 283

Answers (3)

Jayan Raut
Jayan Raut

Reputation: 21

No its not...the user can change the case of script from lower to upper. He doesn't even need to do that for all letters as well. He can even use body instead of script and display something on load like

lastly, he can even use random things like trying to import and image and if its fails then he will specify what the error action should be. The best way to get rid all of this XSS client side attack, use Anti-CSRF token. checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );

Upvotes: 2

Amit Poonia
Amit Poonia

Reputation: 3

Have a look on these Examples too for better security of your website:

1.Best Possible Security for Reflected XSS:

<?php 

// Is there any input? 
if( array_key_exists( "name", $_GET ) && $_GET[ 'name' ] !=     NULL ) { 
// Check Anti-CSRF token 
checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' ); 

// Get input 
$name = htmlspecialchars( $_GET[ 'name' ] ); 

// Feedback for end user 
echo "<pre>Hello ${name}</pre>"; 
} 

// Generate Anti-CSRF token 
generateSessionToken(); 

?>

2.Best Possible Security for Stored XSS:

<?php 

if( isset( $_POST[ 'btnSign' ] ) ) { 
// Check Anti-CSRF token 
checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' ); 

// Get input 
$message = trim( $_POST[ 'mtxMessage' ] ); 
$name    = trim( $_POST[ 'txtName' ] ); 

// Sanitize message input 
$message = stripslashes( $message ); 
$message = mysql_real_escape_string( $message ); 
$message = htmlspecialchars( $message ); 

// Sanitize name input 
$name = stripslashes( $name ); 
$name = mysql_real_escape_string( $name ); 
$name = htmlspecialchars( $name ); 

// Update database 
$data = $db->prepare( 'INSERT INTO guestbook ( comment, name ) VALUES ( :message, :name );' ); 
$data->bindParam( ':message', $message, PDO::PARAM_STR ); 
$data->bindParam( ':name', $name, PDO::PARAM_STR ); 
$data->execute(); 
} 

// Generate Anti-CSRF token 
generateSessionToken(); 

?>

Upvotes: 0

v7d8dpo4
v7d8dpo4

Reputation: 1399

If you convert every < to &lt; and every > to &gt;, it will prevent the user to enter any html tag. So it is enough.

Upvotes: 2

Related Questions