PHP - Security


How to preven Cross Site Scripting (XSS) attacks?

If our site has a web-based HTML editor (TinyMCE, FCKeditor, etc), then we are definitely accepting HTML from our users, and user can format the text however they please. These editors may or may not have ability to prevent XSS, however we should not rely on it. Think what happen if user turn off javascript. They get a standard textarea, and they can put in whatever HTML code they want. One way to prevent XSS attacks is to disallow HTML altogether. However, if we do this, then formating is also disabled, which is not always an option for forum and blog software (and the use of rich text / web-based HTML editor).

If we want HTML mostly disabled, but still want to allow simple formatting, we can allow just a few selected HTML tags (without attributes) such as strong or em. Alternatively, we can allow a popular set of tags called "BBCode" or "BB Tags". This can be a perfect way to allow some formatting customization while disallowing anything dangerous. We can implement BBCode using pre-existing packages such as HTML_BBCode or write our own.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License