Protection against XSS

Question

I see my script is vulnerable to XSS, I am new to PHP so I really have no idea where I should look at. Here are all the codes I use:

<?php
$host = $_SERVER['HTTP_HOST'];
$map = opendir(gif);
$m = 0;
while(false !=($file = readdir($map))){
if($file != "." && $file != ".."){
$gif[$m]= $file;
$m++;
}
}
$random_gif=rand(0,count($gif)-1);
?>

&

<html>
<head>
    <meta http-equiv = "Content-Type" content = "text/html; charset=UTF-8">
    <title><?php echo $_GET['gif']; ?> - Xanu</title>
</head>
<body><center>
<object width="650" height="650">
<embed src="gif/<?php echo $_GET['gif']; ?>" width="640" height="480"></embed>
<br><b><font face="Arial">
        <font size="10"><?php echo $_GET['gif']; ?></font><br><br>
        Link naar de bullshit die hier boven staat?<br>
        <input type="text" size="55" name="giflink" value="http://<?php echo $host; ?     
>/file.php?gif=<?php echo $_GET['gif']; ?>"><br><br>
<?php
echo '<a href="http://'.$host.'/file.php?gif='.$gif[$random_gif].'">Klik hier voor       nieuwe bullshit!</a>';
?>

undone undone · Accepted Answer · 2013-12-19T22:43:58

You're sending $_GET['gif'] back to user , so you should use htmlspecialchar:

<?php echo htmlspecialchar($_GET['gif'] , ENT_QUOTES); ?>

Protection against XSS

1 Answers