Note: This post is part of our series on “How to Fix Cross-site Scripting Vulnerabilities“. The series contains examples on how to fix Cross-site Scripting Vulnerabilities in various programming languages.
“Htmlspecialchars” Convert special characters to HTML entities
$name = htmlspecialchars($_POST['name'], ENT_QUOTES);
The HtmlEncode() method can be used when displaying text directly inside HTML tags using block:
<% = Microsoft.Security.Application.AntiXss.HtmlEncode(this.txtName.Text) %>
This vulnerability allows an attacker to either permanently or temporarily inject client-side code into the target website. This code executes when the page is loaded by the victim and the client-side code may carry out activities such as: stealing cookies/sessions, modifying the page contents, logging key strokes, etc.
There are two types of Cross-site Scripting:
- Temporary XSS
- Persistant XSS
How do I fix Cross-site Scripting?
The following posts provided specific details for fixing Cross-site Scripting vulnerabilities in various programming languages and through a variety of methods.