Php - What is cross site scripting, Script validation
What is cross site scripting
Cross-Site Scripting
What is Cross Site Scripting?
Cross-Site Scripting is when a visitor is able to input html/javascript code inito a website and have it display this code. Common Causes
When text input is not properly checked for html/javascript tags and is displayed directly to a browser. Examples and their exploits
Example 1 (code):
... $comment=$_GET["comment"]; if ($comment) { echo $comment; } ...
Example 1 (exploit): This is how a web is exploited,
URL: page.php?comment=<script>alert("pop up");</script>
Example 1 (explaination):
In this example, all HTML tags and Javascript code gets thrown back to the browser. This is a simple example, and would only affect the client that submited that code in, but if this $comment was saved and later displayed to other users, the end result could be bad. One possible thing an attacker can do is to insert javascript code that sends all visitors to that page to another page of his choosing.
What will end up happening in this example is the user will be thrown a javascript alert with the words 'pop up' in it. Exactly like the one here.
Example 1 (solution) - Validate the script properly:
Since $comment is displayed back to the browser, it is easiest to escape the < > tags, so the browser does not try to process it. Or if you are not expecting users to use a < or > character, just remove all of those characters. Escaping the < > characters:
$escapeChars[0]=array('<', '>'); $escapeChars[1]=array("<", ">"); $comment=str_replace($escapeChars[0], $escapeChars[1], $_GET["comment"]);
Removing the < > characters:
$escapeChars[0]=array('<', '>'); $comment=str_replace($escapeChars[0], "", $_GET["comment"]);
The topic on Php - What is cross site scripting is posted by - Math
Hope you have enjoyed, Php - What is cross site scriptingThanks for your time