Fixing Cross-site Scripting in PHP

Posted by on December 27, 2012 1 Comment

Note: This post is part of our series on “How to Fix Cross-site Scripting Vulnerabilities“. The series contains examples on how to fix Cross-site Scripting Vulnerabilities in various programming languages.

“Htmlspecialchars” Convert special characters to HTML entities

<?php
$name = htmlspecialchars($_POST['name'], ENT_QUOTES);
echo $name;
?>

How to Fix Cross-site Scripting Vulnerabilities

Posted by on May 1, 2012 1 Comment

Websites often accept user input for the application to display on the screen. If the application is not careful enough with its treatment of user (attacker) input, it is possible for an attacker to inject malicious data, which when displayed on the screen can execute HTML or JavaScript code in the user’s browser.

This vulnerability allows an attacker to either permanently or temporarily inject client-side code into the target website. This code executes when the page is loaded by the victim and the client-side code may carry out activities such as: stealing cookies/sessions, modifying the page contents, logging key strokes, etc.

There are two types of Cross-site Scripting:

  • Temporary XSS
  • Persistant XSS

How do I fix Cross-site Scripting?

The following posts provided specific details for fixing Cross-site Scripting vulnerabilities in various programming languages and through a variety of methods.