PHP Classes

XSS attack

Recommend this page to a friend!

      PHP Forms Class with HTML Generator and JavaScript Validation  >  PHP Forms Class with HTML Generator and JavaScript Validation package blog  >  How to Show Google Ma...  >  All threads  >  XSS attack  >  (Un) Subscribe thread alerts  
Subject:XSS attack
Summary:Does not prevent XSS
Messages:4
Author:Chirs
Date:2007-08-08 08:49:58
Update:2007-08-16 22:29:48
 

  1. XSS attack   Reply   Report abuse  
Picture of Chirs Chirs - 2007-08-08 08:49:59
I just made a simple form with the following in the text area:

I like <div good="blah" bad=blah>php</div> but not <br> XSS <img src=javascript:alert('bad!')>

When I output the data after validation, it still prints the same thing WITHOUT filtering out the "bad" stuff. Do I need to do this "cleaning" using some other functions?

  2. Re: XSS attack   Reply   Report abuse  
Picture of SWanderer SWanderer - 2007-08-10 01:17:00 - In reply to message 1 from Chirs
ya ofcourse. you must treat all the data before output them.

if you need to output the data like username or topic ... etc

then you have to treat them before validating and clean them.

  3. Re: XSS attack   Reply   Report abuse  
Picture of Chirs Chirs - 2007-08-10 06:33:29 - In reply to message 2 from SWanderer
So, what function or class do you and other use to "treat" incoming data?

  4. Re: XSS attack   Reply   Report abuse  
Picture of Manuel Lemos Manuel Lemos - 2007-08-16 22:29:48 - In reply to message 3 from Chirs
The forms class does not alter the HTML data that you pass to it in order to format the form output.

Take a look in the Security section for classes that can perform the kind of security filtering you need:

phpclasses.org/browse/class/78.html