|
cross site scripting (XSS) attacks
Stored XSS
.
- Filtering
- Force the data type
- strip_tags(), str_ireplace(), preg_replace()
- Validation:
- strlen(), stripos(), preg_match()
- Have a look at: https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet.
Reflected XSS: escape all user output
.
- htmlspecialchars(), htmlentities()
- Setting the outbound character set
- Redisplaying user-supplied form values
Protecting forms
.
Don't forget HTML5 features!
.
- maxlength
- min=NNN, max=NNN
- type=date|email|number|etc.
- Caution:
- Any of these can be overridden by the attacker!
- Support is not consistent across browsers
|
|