News Feed
Sections




News Archive
Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Pádraic Brady:
20 Point List For Preventing Cross-Site Scripting In PHP
April 23, 2013 @ 09:27:02

Pádraic Brady has posted a 20 point list that wants to help you prevent cross-site scripting (XSS) issues in your applications.

Summarising knowledge has as much value as writing a 200 page treatise on a topic, so here is a list of 20 brief points you should bear in mind when battling Cross-Site Scripting (XSS) in PHP. Minus my usual book length brain fart . Chances are good that ignoring or acting contrary to any one of these will lead to a potential XSS vulnerability. It's not necessarily a complete list - if you think something needs to be added, let everyone know in the comments.

His tips include things like:

  • Never pass data from untrusted origins into output without either escaping or sanitising it.
  • Remember that anything not explicitly defined in source code has an untrusted origin.
  • Always include ENT_QUOTES, ENT_SUBSTITUTE and a valid character encoding when calling htmlspecialchars().
  • Use rawurlencode() to escape strings being inserted into URLs and then HTML escape the entire URL.
  • Validate all complete URLs if constructed from untrusted data.
  • Remember that HTMLPurifier is the only HTML sanitiser worth using.
  • Ensure that cookies which must only be transmitted over HTTPS are marked Secure.

He points out that XSS is still one of the most "popular" (and easy to exploit) attack methods out there, so keep these tips in mind when writing up your code.

0 comments voice your opinion now!
list tips preventing xss crosssite scripting

Link: http://blog.astrumfutura.com/2013/04/20-point-list-for-preventing-cross-site-scripting-in-php

blog comments powered by Disqus

Similar Posts

PHPFreaks.com: 10 Signs of Crappy PHP Software

PHPHacks.com: Shell Scripting with PHP CLI

Toptal.com: The Insider's Guide to PHP Interviewing

Developer Tutorials Blog: Five reasons you should be using PHP

IBM DeveloperWorks: Seven habits for writing secure PHP applications


Community Events





Don't see your event here?
Let us know!


series deployment framework api language bugfix release library symfony conference laravel tips list zendserver voicesoftheelephpant introduction community podcast interview developer

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework