Simple way? Use strip_tags(): $str = strip_tags($input); You can also use filter_var() for that: $str = filter_var($input, FILTER_SANITIZE_STRING); The advantage of filter_var() is that you can control the behaviour by, for example, stripping or encoding low and high characters. Here is a list of sanitizing filters.
The simple way for bypass this error in developing is send header to browser Put the header before send data to browser. In php you can send this header for bypass this error ,send header reference: header(‘X-XSS-Protection:0’); In the ASP.net you can send this header and send header reference: HttpContext.Response.AddHeader(“X-XSS-Protection”,”0″); or HttpContext.Current.Response.AddHeader(“X-XSS-Protection”,”0″); In the nodejs … Read more
I don’t have an answer specifically to your question, but I would like to point out that the white list vs black list approach not just “nice”. It’s important. Very important. When it comes to security, every little thing is important. Remember that with cross-site scripting and cross-site request forgery , even if your site … Read more
XSS is not a feature that can be enabled in jQuery. It would be very very unusual if the jQuery core had an XSS vulnerability, but it is possible and its called DOM-based XSS. “Cross-Origin Resource Sharing” or CORS isn’t the same as XSS, BUT, but if a web application had an XSS vulnerability, then … Read more
The vulnerability is because URLs were not being parsed properly. For example, the following URL is posted to Twitter: http://thisisatest.com/@”onmouseover=”alert(‘test xss’)”/ Twitter treats this as the URL. When it is parsed Twitter wraps a link around that code, so the HTML now looks like: <a href=”http://thisisatest.com/@”onmouseover=”alert(‘test xss’)”rel/” target=”_blank” =””>http://thisisatest.com/@”onmouseover=”alert(‘test xss’)”/</a></span> You can see that by … Read more
If you’re using ASP.NET 2.0 or greater, you can turn it on in the Web.config file. In the <system.web> section, add the following line: <httpCookies httpOnlyCookies=”true”/>
From the browser security handbook The risk of JavaScript execution. As a little-known feature, some CSS implementations permit JavaScript code to be embedded in stylesheets. There are at least three ways to achieve this goal: by using the expression(…) directive, which gives the ability to evaluate arbitrary JavaScript statements and use their value as a … Read more
As its name may suggest, strip_tags should remove all HTML tags. The only way we can proof it is by analyzing the source code. The next analysis applies to a strip_tags(‘…’) call, without a second argument for whitelisted tags. First at all, some theory about HTML tags: a tag starts with a < followed by … Read more
XSS JSF is designed to have builtin XSS prevention. You can safely redisplay all user-controlled input (request headers (including cookies!), request parameters (also the ones which are saved in DB!) and request bodies (uploaded text files, etc)) using any JSF component. <h:outputText value=”#{user.name}” /> <h:outputText value=”#{user.name}” escape=”true” /> <h:inputText value=”#{user.name}” /> etc… Note that when … Read more
The idea of a generic sanitation function is a broken concept. There is one right sanitation method for every purpose. Running them all indiscriminately on a string will often break it – escaping a piece of HTML code for a SQL query will break it for use in a web page, and vice versa. Sanitation … Read more