Preventing XSS

beanie

Hi,

Can anyone help-

XSS stands for Cross Site Scripting, an XSS attack is when an attacker manages to inject Java script code or sometimes other code (usually Java Script) into a website causing it to execute the code.

Does anyone know how this can be prevented???.

Looking at through some web pages i found this,

A good way preventing XSS attacks is by converting malicious characters to there HTML equivalents, below is a table I have made (might not be the best table.)

From To
< <

&apm;gt;
( (
) )

& &

What exactly has to be done and how can it be tested

MarkR

The way to prevent XSS is to escape strings correctly in HTML. This is usually done by the htmlspecialchars function, however in Smarty, etc, you can use the |escape modifier.

Another option is to put "escape" into the default modifiers list of Smarty, then every variable will be implicitly escaped in the page, unless you specifically tell it not to.

You'll also want to be careful if you're displaying error messages at any point (as they might not go via your normal page display routine).

Finally, XSS can be triggered by Javascript in some circumstances, so watch out for that too (for example, with document.write or element.innerHTML)

In order to stop XSS, you must do this EVERYWHERE throughout your entire application, correctly. In practice this is not too tricky if you think about it from the start.

Mark