More XSS Update

Via Chris I found the XSS Cheat Sheet, which shows a looot of possible XSS attacks. I didn't test all on my script, but one I spotted was that &106 is a prefectly valid entity (without semicolon…). The script is fixed, since html_entity_decode() doesn't recognize that either.

Tidy would have fixed that, so I really highly recommend running tidy before trying to do any XSS prevention. Tidy removes a lot of dirty HTML tricks in the first place and makes your XSS prevention script much simpler (but the goal of my script was to not rely on tidy, otherwise the regexes would be much shorter and my life easier ;) )

Do you have a question, a comment, or just feeling inspired? Mention us or share this article on Mastodon, Twitter or LinkedIn.

Subscribe to blog updates using the RSS Feed.

Topics

Technology