filter out xss attacks

proners · May 11 2009

Discuss!

well first and for most, you're stuck with using charset=utf-8 to prevent xss attacks from happening on IE6

if you want to test if your application is vulnerable for xss, here's a link to test some of the most common/intricate xss attacks http://ha.ckers.org/xss.html

if you want a somewhat efficient way to filter xss attacks from untrusted output(input) here's a way kses see http://sourceforge.net/projects/kses

Last edited by proners (May 11 2009)

samer · May 12 2009

I'm a big fan of RSnake's blog, really cool stuff over there.

As for preventing XSS, I usually strip off all unwanted characters (hardcore approach using preg_match) or just use htmlentities(); which converts all applicable characters to HTML entities.

proners · May 12 2009

well using htmlentities is the most safe approach but it is also the most inflexible approach, it really depends on what you're working on, if you want something fast and safe, htmlentities is the way to go...

hussam · May 12 2009

proners wrote:

you're stuck with using charset=utf-8 to prevent xss attacks from happening on IE6

Stuck with utf-8? Shouldn't you want to use utf-8 anyway?

proners · May 12 2009

hussam wrote:

proners wrote:
you're stuck with using charset=utf-8 to prevent xss attacks from happening on IE6
Stuck with utf-8? Shouldn't you want to use utf-8 anyway?

you'd want to use it utf-8 because it's the only reliable option to prevent xss attacks, or why would someone want to do more post-processing(conversion, custom-filtering) if another option such as unicode was reliable, all operating systems do support it, but the browsers technology forces you to stay on utf-8.. so sometimes what you want is not really an option, it's what you have to do ...

rolf · May 12 2009

Keep in mind, your job is to send valid data to the browser, and to avoid code injection.
As a developer, I refuse putting in extra work to fix shortcomings that should be fixed by the maker of the browser.

samer · May 12 2009

I refuse putting in extra work to fix shortcomings that should be fixed by the maker of the browser.

Good luck with IE :)

rolf · May 13 2009

I will try to skip features that require such workarounds, as much as possible.

LebGeeks

#1 May 11 2009

filter out xss attacks

#2 May 12 2009

Re: filter out xss attacks

#3 May 12 2009

Re: filter out xss attacks

#4 May 12 2009

Re: filter out xss attacks

#5 May 12 2009

Re: filter out xss attacks

#6 May 12 2009

Re: filter out xss attacks

#7 May 12 2009

Re: filter out xss attacks

#8 May 13 2009

Re: filter out xss attacks

Board footer