Thwarting XSS!

January 7th, 2011   •   41 Comments   

Data containing HTML or Java Script can really be one of the BIGgest problem, specially when its is being specified by a ‘user’. For example simple application like Blog, where user can submit the comments after reading the post, which’s being displayed. If the user is ‘not-that-bad’ and enters only plain text, then seriously no problem. Let’s take if the user submit the data

<b><i>Post seems great.</i></b>

What will happen? The situation is not as easy as it seems to be, yet it gets complicated. Browsers will not be able to tell the difference between HTML tags which are displaying from Blog, it will directly get embedded in the comments.

It is still good if the user closes the HTML tags, like in above code. All the HTML codes are closed properly. If its not properly closed then this situation tends to get getting extremely bad, it will cause the browser to prevent page being displayed correctly. Like if someone submits the following the effects may not be that good!

<b or > or <a href="

The situation will get worse if it contains Java Script. A malicious personality can steal your cookies to his inbox, can redirect your pages to another web page, can burglarize your password which are saved in the ‘browser’. A lot of thing can be done by Java Script.

These kind of ‘problems where someone injects something which indirectly get many things’ are called XSS (Cross Site Scripting) attack.

If you think to be safe’f XSS then you need to work with code nicely and also keeping in mind that *you never should display the direct input from the user* will be an beneficial addon. You need to remove the HTML tags/Script first before displaying in the site.

You will feel good to know, Php gives you two functions to remove the HTML tags or encode the special characters.
1. strip_tags() : It removes the HTML tags from the string
2. htmlentities() : It encodes the special HTML characters.

Let’s see the how to use those functions:

//Remove the HTML to comments
$comment = strip_tags($_POST['comment']);
print $comment;

if the ($_POST[‘comment’]) have

<b>Hi..</b> Your <div> <span>article</span> </div> seems <i>perfect.</i>

it will display simply.

Hi.. Your article seems perfect.

Now let’s see the htmlentities function:

//Remove the HTML to comments
$comment = htmlentities($_POST['comment']);
print $comment;

if the ($_POST[‘comment’]) have

<b>Hi..</b> Your <div> <span>article</span> </div> is <i>awesome.</i>

It will display…

&lt;b&gt;Hi...&lt;/b&gt; Your &lt;div class=&quot;heading1&quot;&gt;&lt;
span&gt;article&lt;/span&gt;&lt;/div&gt; is &lt;i&gt awesome. &lt/i&gt

The characters have been changed to
< to &lt;
> to &gt;
" to &quote;

Now the browser will display the page as *if the browser's getting bizarre reading those damn not-so-good inputs from malicious user!*

You also need to put a default value to being prevented form XSS.
Make an array of default value. See in the example

if ($_POST['_submit_check']){
$default = $_POST;
else {
$default = array('name' => 'abc',
				 'email' => '[email protected]',
				 'web' => '',
				 'content' => 'xyz');

See how to set the default value in multiline text area.

print '<textarea name="comment">';
print htmlentities($defalut['comment']);
print '</textarea>';

This can be a way of how we can prevent injecting scripts...

Reposted from 'Kuwait Hackers'

Share this article

41 Responses

  1. very interesting info !

  2. citymanual says:

    Thanks for your nice tips.I’ll keep all these tips in my mind while posting the blogs

  3. Interestingly it is written. have something to learn.

  4. Shakeology cleanse direc. says:

    I’d should check with you here. Which is not one thing I normally do! I take pleasure in reading a post that may make people think. Also, thanks for allowing me to comment!

  5. Rueben Huelskamp says:

    Youre so cool! I dont suppose Ive learn anything like this before. So good to find somebody with some original ideas on this subject. realy thanks for starting this up. this web site is something that’s wanted on the net, somebody with originality. helpful job for bringing one thing new to the web!

  6. ... says:

    Thank you, I have recently been searching for information about this topic for ages and yours is the best I have discovered so far.

  7. Good job. Useful and helpful info here. Thanks

  8. Jenn Livings says:

    Hi. This is Jenn Livings, glad to make your acquaintance.

    I like the title you gave the post: ” Thwarting XSS!”. Currently I have a blog myself ( … It might be a little offtopic but still, have a look around at the blog 🙂


    Jenn Livings of

  9. chea says:

    That is my first time I have visited here. I’ve discovered so much interesting stuff in your blog. From the tons of comments on your articles,to all the totally different posts. I guess I am not the one one having all the good reading here! keep up the great work. Thank you…

  10. cheap says:

    You have really helped me out…. thanks!

  11. I am grateful to obtain found this site. Retain up the beneficial postings.

  12. AngB says:

    Rattling instructive and good anatomical structure of content material , now that’s user pleasant 🙂

  13. Tresa Galli says:

    I know this is truly boring and you are skipping to the next comment, but I just wanted to throw you a large thanks – you cleared up some things for me!

  14. I’ve been browsing online more than 3 hours today, yet I never found any interesting article like yours. It is pretty worth enough for me. In my view, if all webmasters and bloggers made good content as you did, the web will be much more useful than ever before.

  15. Even Mark says:

    Every one on internet searches for quality content. Its very unfortunate with nigh of the websites published posts that are boring and away of context articles, only to show that young material is being published. Contrary to that immoral practice, this clause is a well-written article.

  16. Miki Glicher says:

    You really make it seem so easy with your presentation but I find this matter to be actually something that I think I would never understand. It seems too complicated and very broad for me. I’m looking forward for your next post, I will try to get the hang of it!

  17. Forex says:

    We are a group of volunteers and starting a new scheme in our community. Your site offered us with valuable information to work on. You’ve done a formidable job and our entire community will be thankful to you.

  18. Brittni Egerton says:

    Thank you on your help!

  19. Russell Armstrong says:

    Appreciating this time and energy putting in to the website and in depth information u present. It’s awesome to come over a different blog site once in a time that isn’t the same old re-spun information. Fantastic info… I’ve bookmarked your site and I am adding your Rss feeds into Msn account.

  20. Ina Lovern says:

    I really like the fresh perpective you did on the problem. Really was not expecting that when I started off studying. Your concepts had been simple to comprehend that I wondered why I never looked at it prior to. Glad to know that there’s an individual out there that definitely understands what he’s discussing. Great job

  21. Your blog has made me think about an subject from another context. This is absolutely rare when I change my conception about such questions but it looks that you’ve done it. The day has begin with something new! Thank you!

  22. Leonarda Humbles says:

    Solid post, nice work. It Couldn’t be written any improved. Reading this post reminds me of my previous boss! He usually kept babbling about this. I will forward this article to him. Pretty certain he will have a superb read. Thanks for sharing!

  23. Super blog post,I have bookmarked this internet site. i visit you soon again 😉

  24. thanks, and keep up the good work

  25. Hayley Comas says:

    thanks, and maintain up the good work

  26. Drutman says:

    Rather valuable piece

  27. I frequently read your blog admin try to find it quite fascinating. Thought it was about time i show you , Sustain the truly fantastic work

  28. I couldn?t currently have asked for an even better blog. You?re there to offer excellent suggestions, going straight away to the point for straightforward understanding of your website visitors. You?re surely a terrific pro in this area. Thank you for currently being there visitors like me.

  29. I really like the fresh perpective you did on the problem. Really was not expecting that when I started off studying. Your concepts were easy to comprehend that I wondered why I never looked at it prior to. Glad to know that there’s an individual out there that definitely understands what he’s discussing. Great job

  30. Landen says:

    At very last I discovered the data and details that I was trying to get. Very well carried out! You have approached the subject in a very distinct and concise manner.

  31. Elsie Erps says:

    Fantastic post.Much thanks again. Really Great.

  32. Major thankies for the blog post.Really looking forward to read more.

  33. I’m really glad I’ve found this information. Nowadays bloggers publish just about gossips and internet and this is really annoying. A good site with interesting content, that’s what I need. Thank you for keeping this web-site, I will be visiting it. Do you do newsletters? Cant find it.

  34. Terrific, that’s exactly what I was searching for! You just saved me alot of digging around

    I’ll make sure to put this in good use!

  35. My spouse and I like reading through this. I might publish this on digg. I am sure you will get quite a few thumbs up

  36. Thanks for the sensible critique. Me & my neighbor were just preparing to do some research about this. We got a grab a book from our area library but I think I learned more from this post. I’m very glad to see such excellent info being shared freely out there.

  37. Server0 says:

    Hi there can I use some of the information here in this blog if I reference you with a link back to your site?

    • Sectruni0 says:

      Yeah! For sure..
      You can publish any information from our blog with just a catch: ‘link-back’ to the original one.

  38. Samela289 says:

    I run my own siteand I came here by mistake. I read your articles and I found that they’re fascinating! I want to use them on my blog. I want do that without your permission, so say yes. I’m greeting warmly.

  39. Dohrman says:

    Excellent post. I was checking continuously this blog and I am impressed! Very useful information specifically the last part 🙂 I care for such information much. I was seeking this particular info for a long time. Thank you and best of luck.

  40. Valene Pembroke says:

    I think this is one of the most significant information for me. And i am glad reading your article. But want to remark on few general things, The web site style is perfect, the articles is really excellent : D. Good job, cheers

Leave a Reply