On 19/06/16 09:38, Михаил Востриков wrote: > My point is > that the main job of echo operator "<?= ?>" is output an unknown value from > database to an HTML environment. So in all this places we should copy-pase > the call of htmlspecialchars() to prevent XSS.
The majority of XSS problems are created because the free format input INTO the application are not correctly handled. Simply banging htmlspecialchars() around totally unmanaged text is NOT the solution, and handling the correct filtering of the inputs is where this should be handled. I'm sure all of you see various attempts at XSS and SQL injections in your log files. About 20% of my overnight traffic is people trying to 'get in' but because I do not allow raw text to get through all it results in is errors in the log files. The packages that we have had problems cleaning up have tried using the 'clean the output' approach, but this STILL left holes which can only be fixed by cleaning the input ... -- Lester Caine - G8HFL ----------------------------- Contact - http://lsces.co.uk/wiki/?page=contact L.S.Caine Electronic Services - http://lsces.co.uk EnquirySolve - http://enquirysolve.com/ Model Engineers Digital Workshop - http://medw.co.uk Rainbow Digital Media - http://rainbowdigitalmedia.co.uk -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
