cross site scripting (XSS) attacks

• Stored XSS

  .
  
  

  • Filtering
  • Force the data type
  • strip_tags(), str_ireplace(), preg_replace()
  • Validation:
  • strlen(), stripos(), preg_match()
  • Have a look at: https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet.

• Reflected XSS: escape all user output

  .
  
  

  • htmlspecialchars(), htmlentities()
  • Setting the outbound character set
  • Redisplaying user-supplied form values

• Protecting forms

  .
  
  

  • Single use hash
  • CAPTCHAs

• Don't forget HTML5 features!

  .
  
  

  • maxlength
  • min=NNN, max=NNN
  • type=date|email|number|etc.
  • Caution:
  • Any of these can be overridden by the attacker!
  • Support is not consistent across browsers