Watch for Cross Site Scripting (XSS) Attacks in User Input

Jan 19, 2009 Author: City Hall

A web application usually accepts input from users and displays it in some way. This can, of course, be in a wide variety of forms including comments, threads or blog posts that are in the form of HTML code. When accepting input, allowing HTML can be a dangerous thing, because that allows for JavaScript to be executed in unintended ways. If even one hole is left open, JavasScript can be executed and cookies could be hijacked. This cookie data could then be used to fake a real account and give an illegal user access to the website's data.

There are a few ways you can protect yourself from such attacks. One way is to disallow HTML altogether, because then there is no possible way to allow any JavaScript to execute. However, if you do this then formatting is also disallowed, which is not always an option for forum and blog software.

If you want HTML mostly disabled, but still want to allow simple formatting, you can allow just a few selected HTML tags (without attributes) such as <strong> or <em>. Or, alternatively, you can allow a popular set of tags called "BBCode" or "BB Tags," commonly seen on forums in the format of [b]test[/b]. This can be a perfect way to allow some formatting customization while disallowing anything dangerous. You can implement BBCode using pre-existing packages such as HTML_BBCodeParser or write your own BBCode implementation with regular expressions and a series of preg_replace statements

views 3974
  1. Add New Comment