Byte-ul Posted August 9, 2014 Report Posted August 9, 2014 What is it?XSS is the injection and parsing of client-side code into web pages. This attack occurs when your web application outputs anything provided by your users (whether it's from your data persistence store, or from a recently submitted form) onto the webpage without escaping the data beforehand.How do I Prevent it?There are two functions you can use to mitigate XSS attacks: htmlspecialchars() and htmlentites(). These two functions are used for preservation of text to prevent the web browser from interpreting any client-side language it may contain. These two functions therefore have a different purpose than the strip_tags() function (see later on for why).The only difference between htmlspecialchars() and htmlentites() is that the former function translates only special characters (&, ', ", <, >). The latter function on the other hand translates all characters which have HTML character entity equivalents, into those entities.Caveat:If you're running a version of PHP prior to PHP 5.4 then you must provide the encoding type for these functions. This is because the default encoding type was ISO-8859-1, and so outputting characters such as the pound (£) and euro (€) signs would produce different output results from the original input. It is considered good practice to always specify the encoding type with these functions.Tip:It is considered good practice to not use these functions upon inputting data into your database. This is because you may choose to change the way you would like to output your data, such as using the strip_tags() function upon the output to just show raw text (see below for the strip_tags() function).Another function that some people use to mitigate XSS attacks is strip_tags(), but they really shouldn't. It accepts two arguments; the first is the string to sanitise (strip of html tags) and the (optional) second argument is the whitelisted HTML tags not to strip. The way this function works is that it'll look for an opening < sign and then a closing > sign, and then everything in between the two signs (including the signs themselves) are deleted from the string (regardless of whether it was an actual HTML tag or not). This function may seem helpful because it gets rid of any unwanted HTML code; though there are serious draw backs to using it as a prevention method to XSS.This first problem is that the function relies on the tags being correctly entered, i.e. having an opening and closing angular bracket (<, >). If this is not the case then the poster may find large amounts of their data/post (if not all) being deleted. Here is a quick demonstration of this:<?php$string = 'To initiate the execution of php code, we must start our PHP script with the opening tag, <?php. At the end of the PHP code, we can close off the script with a closing tag, ?>. This is <<em>basic</em> PHP knowledge.';echo strip_tags($string);The above would output:To initiate the execution of php code, we must start our PHP script with the opening tag, . This isSo as you can see, we've lost most of the second sentence because of a misplaced opening angular bracket. Another thing from the example above you should have picked up upon is that we have lost most of the first sentence as well. This is where the second problem of using strip_tags() arises; accidental usage.There is however a time and a place to use strip_tags(), and this is when we'd like output raw content when we know there is valid, non-malformed HTML. The scenarios above would have derived from using the function upon input of data before converting all current HTML entity equivalents (with either htmlspecialchars() or htmlentities()) into their respective entities. One valid place to use the strip_tags() function would be when wanting to get or output plain text from a bulletin board (such as from this thread). This is because all of the HTML entity equivalents in the post would have been converted to their respective entities, and any valid BBCode used would have been converted to valid, well-formed HTML that can be safely stripped.Credits: http://www.hackforums.net/showthread.php?tid=4238146 Quote
