I want to stop cross-site scripting on a text area. The code below as input data will be vulnerable for the text area:
<script>alert("Hello")</script>
Can anybody help on this to prevent the cross-site scripting with a sample code??
1
votes
1 Answers
2
votes
Cross side scripting attack is much bigger than you think and definetly not limited to code you mentioned <script>alert("Hello")</script>.So strictly confined to your question these type of XSS attacks can be prevented by so many php libraries.I will mention a few below.
- HTML Purifier
- PHP AntiXSS
- xssprotect
- XSS HTML Filter
- xss_clean.php filter
- Updating php version
Lets talk about the most prominant method to prevent XSS attack which is Php AntiXss
PHP Anti-XSS Library developing for prevent the XSS(Cross Site Scripting) vulnerabilities on the web applications. PHP Anti-XSS Library automatically detect the encoding of the data that you want filter and if you wish its encoding your data again. Also there are 3 type of filtering option.
3 Types of filtering options here
- Blacklist Filtering
- Whitelist Filtering
- Graylist Filtering
Usage:
Method 1: Setting the encoding of the data
$data = AntiXSS::setEncoding($data, "UTF-8");
Method 2:
Setting the filter for the data
$data = AntiXSS::setFilter($data, "whitelist", "string");
Popular Usage:
Xssescape is a package used to prevent cross site scripting (xss) attack in cross brower.
Usage :
npm install xssescape
app.js
var xs = require('xssescape')
var htmlStr = "<script> alert(document.cookie); </script>";
xs.strictEscape(htmlStr);
or
var htmlStr = "<script> alert(document.cookie); </script>";
xs.unescape(htmlStr);
or
var browserURL = "http://example.com/?<script> document.cookie </script>";
xs.unSafeUrl('/home'); // eg. you can keep what ever you want as a path name.
// it will reload/refresh the page with /home after the default url.
