You are not logged in.
Pages: 1
Topic closed
Discuss!
well first and for most, you're stuck with using charset=utf-8 to prevent xss attacks from happening on IE6
if you want to test if your application is vulnerable for xss, here's a link to test some of the most common/intricate xss attacks http://ha.ckers.org/xss.html
if you want a somewhat efficient way to filter xss attacks from untrusted output(input) here's a way kses see http://sourceforge.net/projects/kses
Last edited by proners (May 11 2009)
I'm a big fan of RSnake's blog, really cool stuff over there.
As for preventing XSS, I usually strip off all unwanted characters (hardcore approach using preg_match) or just use htmlentities(); which converts all applicable characters to HTML entities.
well using htmlentities is the most safe approach but it is also the most inflexible approach, it really depends on what you're working on, if you want something fast and safe, htmlentities is the way to go...
you're stuck with using charset=utf-8 to prevent xss attacks from happening on IE6
Stuck with utf-8? Shouldn't you want to use utf-8 anyway?
proners wrote:you're stuck with using charset=utf-8 to prevent xss attacks from happening on IE6
Stuck with utf-8? Shouldn't you want to use utf-8 anyway?
you'd want to use it utf-8 because it's the only reliable option to prevent xss attacks, or why would someone want to do more post-processing(conversion, custom-filtering) if another option such as unicode was reliable, all operating systems do support it, but the browsers technology forces you to stay on utf-8.. so sometimes what you want is not really an option, it's what you have to do ...
Keep in mind, your job is to send valid data to the browser, and to avoid code injection.
As a developer, I refuse putting in extra work to fix shortcomings that should be fixed by the maker of the browser.
I refuse putting in extra work to fix shortcomings that should be fixed by the maker of the browser.
Good luck with IE :)
I will try to skip features that require such workarounds, as much as possible.
Pages: 1
Topic closed