Comments on: Cross-site scripting ( xss ) attack by example and prevention in PHP

By: sdsa

sdsa — Tue, 29 Sep 2009 05:52:03 +0000

Hi Michael, very gud job, keep it up!

By: Portfolio blog » Blog Archive » urgently upgrade your wordpress

Portfolio blog » Blog Archive » urgently upgrade your wordpress — Thu, 23 Jul 2009 05:55:07 +0000

[...] and if you’re running a Wordpress powered blog then upgrade it to version 2.6.5. It is a XSS exploit discovered in the 2.6.5 [...]

By: Sam

Sam — Sun, 12 Jul 2009 01:16:57 +0000

Approve me XD

By: Sam

Sam — Sun, 12 Jul 2009 01:15:24 +0000

Nice job on article

By: Ravi Chamria

Ravi Chamria — Mon, 22 Jun 2009 15:57:44 +0000

Do not completely trust Web sites that use HTTPS (Secure Sockets Layer) when it comes to XSS; HTTPS ensures secure connections, but processing of the data entered by the user is internal to the application. If the application has XSS holes, the attacker may send a malicious script that can still be executed by the application and lead to XSS intrusions.

By: Urgently upgrade your wordpress to version 2.6.5

Urgently upgrade your wordpress to version 2.6.5 — Wed, 26 Nov 2008 10:01:40 +0000

[...] and if you’re running a Wordpress powered blog then upgrade it to version 2.6.5. It is a XSS exploit discovered in the 2.6.5 [...]

By: Useful functions to tighten the PHP security

Useful functions to tighten the PHP security — Sat, 24 May 2008 18:39:56 +0000

[...] which is very handy for preventing your website from various attacks like SQL Injection Attack , XSS attack etc.Let’s check few useful functions available in PHP to tighten the security in your [...]

By: sam

sam — Fri, 16 May 2008 23:32:45 +0000

Hi Michael, very gud job, keep it up!

By: Secure security » Blog Archive » Quick PHP Form Validator

Secure security » Blog Archive » Quick PHP Form Validator — Sun, 04 May 2008 23:48:01 +0000

[...] http://roshanbh.com.np/2007/12/cross-site-scripting-xss-attack-by-example-and-prevention-in-php.html [...]

By: Roshan

Roshan — Thu, 24 Apr 2008 15:21:00 +0000

I absolutely agree wiht you safiq…

By: Zend Certified Engineer

Zend Certified Engineer — Thu, 24 Apr 2008 12:33:05 +0000

White list input filtering is recommended in order to avoid cross site scripting.

Every php developer should never trust the user provided data even if it is from cookie, drop down list or hidden form fields.

We should always check the script tag in user input data too which is more dangerous in this context.

By: will

will — Tue, 15 Jan 2008 14:43:07 +0000

XSS can also occur by hiding html within html.
php’s strip_tags won’t catch it.

Aside from that, javascript validations are handy, but can only take your site so far. Javascript has very little unicode support, so it may not be the best tool for multi-lingual sites.

People that use browsers like Lynx or Netscape 4 (i know …. REALLY old), may not have have javascript running or a very old version of javascript running which may cause validations to not run.

XSS Prevention should occur at the server level no matter what, when processing or storing input. In the event a browser dependency fails (in this case javascript), it becomes possible for the attacker to slip data in as they see fit.

OSCommerce.org has an article in its documentation regarding XSS Prevention which highlights the key points of prevention fairly well.

By: Ryan

Ryan — Tue, 08 Jan 2008 21:53:31 +0000

Thanks for this excellent article. I had heard about these attacks, but it was quite vague to me, and I had no idea how easy it was. Just underlines the importance of data validation on web forms. Thanks for the eye opener!

BTW. Your site has some pretty informative articles. Keep up the good work. I’ll drop by from time to time.