CodingPHP Sanitization + XSS

  

Press Ctrl+Enter to quickly submit your post
Quick Reply  
 
 
  
 From:  ANT_THOMAS   23 Jan 2012 13:59 
 To:  ALL 1 of 5 
39261.1 

I've made a little page to stick some values in and generate a result based on the input.

 

I'd like to sanitize the input by preventing/removing certain characters and prevent XSS attacks.

 

Any easy guides?
0/0
 Reply   Quote More 

 From:  Matt   23 Jan 2012 14:34 
 To:  ANT_THOMAS      2 of 5 
39261.2 In reply to 39261.1 
Unless you need it unescaped, escape all user input that you use. You can accomplish most of this using htmlentities().

doohicky
0/0
 Reply   Quote More 

 From:  Peter (BOUGHTONP)   23 Jan 2012 14:59 
 To:  ANT_THOMAS      3 of 5 
39261.3 In reply to 39261.1 
^ that's the sledgehammer approach - seems to work but not the best solution.

Look for the PHP implementation of the OWASP ESAPI library, which has context specific functions (e.g. encodeForHtml, encodeForSQL, encodeForUrl, etc) which allow you to perform the correct escapes for where you are using the data.
0/0
 Reply   Quote More 

 From:  ANT_THOMAS   23 Jan 2012 15:11 
 To:  ALL 4 of 5 
39261.4 

Thanks!

 

I think I'll try the sledgehammer approach first.

 

It really is very basic, but since it's going to be open to the public (and already posted on a public forum) I'd like it to be reasonable safe. Especially since I've been checking my access.log for Apache lately and there's a number of requests for certain config files that do exist on one of my servers, but not accessible via the web server. Basically people trying to steal some usernames and passwords, but they can't get to the them thankfully.

 

 
0/0
 Reply   Quote More 

 From:  Peter (BOUGHTONP)   23 Jan 2012 15:26 
 To:  ANT_THOMAS      5 of 5 
39261.5 In reply to 39261.4 
Why Can't I Just HTML Entity Encode Untrusted Data?
HTML entity encoding is okay for untrusted data that you put in the body of the HTML document, such as inside a <div> tag. It even sort of works for untrusted data that goes into attributes, particularly if you're religious about using quotes around your attributes. But HTML entity encoding doesn't work if you're putting untrusted data inside a <script> tag anywhere, or an event handler attribute like onmouseover, or inside CSS, or in a URL. So even if you use an HTML entity encoding method everywhere, you are still most likely vulnerable to XSS. You MUST use the escape syntax for the part of the HTML document you're putting untrusted data into.
0/0
 Reply   Quote More 

Reply to All    
 

1–5

Rate my interest:

Adjust text size : Smaller 10 Larger

Beehive Forum 1.5.2 |  FAQ |  Docs |  Support |  Donate! ©2002 - 2024 Project Beehive Forum

Forum Stats