Goto main content

help desk

How can I prevent XSS (Cross-site Scripting) attack on my site

What can be done while programming in extenso to reduce the chances of XSS attack?

Asked on 2022-01-11 10:00:00

OFFICIAL ANSWER

In general all datas from an external source should be handle with care.

These could be use for XSS (https://en.wikipedia.org/wiki/Cross-site_scripting)

An example of an XSS is the following code:

cgidata = cgidata();
cgidata.problem;

if you call this page with this code:

 

page?problem=<svG%2Fonload%3Dalert(document.cookie)>

 

You will force the browser to execute this Javascript

 

If you want to display cgidata.problem use the following code:

 

esc(filter:"html", cgidata.problem);

 

If your data is expecting to get page number, make sure it's numeric

As an example the following code which display the current page is posing problem:

<a href="page.sn?page=">url</a>

If this page is called with the following URL, page is not validated.

page.sn?page=10"><script>alert(document.cookie)</script>&kw=

 

In this case you could make sure that page is numeric or use the following code to validate the URL:

 

<a href="page.sn?page=">url</a>
Answer by:
Pierre Laplante

Replied on: 2022-01-12 13:37:00