XSS or Cross Site Scripting is the ability to inject malicious
line - to get them printed and output-ed to the client through the
HTML code of the page.
In order to avoid such security issues all you have to do is to
sanitise the $_GET and $_POST input before output-ing them to the
browser. Check out htmlentities() and similar stuff.
On Tue, Jun 9, 2009 at 8:47 PM, Skip Evans<s...@bigskypenguin.com> wrote:
> Well, the function filter_input(INPUT_GET, 'kw', FILTER_SANITIZE_ENCODED);
> ...seemed to take care of the example on the report by Security Metrics.
> Am I on the right track here, at least?
> I'm reading pages on 'sanitizing PHP input'. Is that where I should be
> Shawn McKenzie wrote:
>> Skip Evans wrote:
>>> Hey all,
>>> You may have seen my earlier message about a current client whose site
>>> I've taken over maintenance on that is trying to get PCI Compliance from
>>> Security Metrics. I've put all the forms behind https and a couple of
>>> other things, but this one I don't know how to solve. I'll read up on
>>> cross site scripting, but could someone help me understand what they
>>> believe the vulnerability is in their notes below?
>>> Possible cross site scripting on http://www.ranghart.com/index.php
>>> Use the following commands to verify this: wp --inject
>>> TCP http/https 4
>>> curl -L
>>> grep "123" This website may have other injection
>>> related vulnerabilities.
>> Well, their example is not correct, try:
>> doing some nasty JavaScipt hacking here!"%29%3B%3C%2Fscript%3E in a
>> This means that you're not validating/sanitizing input. You can't just
>> take the contents of a $_GET, $_POST, etc. (any user input) variable and
>> echo it out.
> Skip Evans
> Big Sky Penguin, LLC
> 503 S Baldwin St, #1
> Madison WI 53703
> Those of you who believe in
> telekinesis, raise my hand.
> -- Kurt Vonnegut
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php