Goto main content

help desk

Comment puis-je empêcher une attaque XSS (Cross-site Scripting) sur mon site

Que peut-on faire lors de la programmation in extenso pour réduire les risques d'attaque XSS ?

Posé le 2022-01-11 10:00:00

RÉPONSE OFFICIELLE

In general all datas from an external source should be handle with care.

These could be use for XSS (https://en.wikipedia.org/wiki/Cross-site_scripting)

An example of an XSS is the following code:

cgidata = cgidata();
cgidata.problem;

if you call this page with this code:

 

page?problem=<svG%2Fonload%3Dalert(document.cookie)>

 

You will force the browser to execute this Javascript

 

If you want to display cgidata.problem use the following code:

 

esc(filter:"html", cgidata.problem);

 

If your data is expecting to get page number, make sure it's numeric

As an example the following code which display the current page is posing problem:

<a href="page.sn?page=">url</a>

If this page is called with the following URL, page is not validated.

page.sn?page=10"><script>alert(document.cookie)</script>&kw=

 

In this case you could make sure that page is numeric or use the following code to validate the URL:

 

<a href="page.sn?page=">url</a>
Réponse de:
Pierre Laplante

Répondu le : 2022-01-12 13:37:00