info/php-the-right-way
1
0
Fork 0
mirror of https://github.com/codeguy/php-the-right-way.git synced 2025-08-13 17:23:58 +02:00
Code Issues Projects Releases Wiki Activity

Merge pull request #190 from pomle/gh-pages

Browse Source 
Suggested change to Cross-Site Scripting Mitigation.
This commit is contained in:
Phil Sturgeon
2012-10-15 00:40:18 -07:00
parent ced10a36c3 f1e806c941
commit 8d7c340325
1 changed files with 4 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
_posts/07-04-01-Data-Filtering.md
View File

@@ -19,8 +19,10 @@ the data is filtered properly and can it be trusted.
Data may be _filtered_ differently based on its purpose. For example, when unfiltered foreign input is passed Data may be _filtered_ differently based on its purpose. For example, when unfiltered foreign input is passed
into HTML page output, it can execute HTML and JavaScript on your site! This is known as Cross-Site into HTML page output, it can execute HTML and JavaScript on your site! This is known as Cross-Site
Scripting (XSS) and can be a very dangerous attack. One way to avoid XSS is to sanitize all HTML tags Scripting (XSS) and can be a very dangerous attack. One way to avoid XSS is to sanitize all user-generated
in the input by removing tags or escaping them into HTML entities. data before outputting it to your page by removing HTML tags with the `strip_tags` function or escaping
characters with special meaning into their respective HTML entities with the `htmlentities`
or `htmlspecialchars` functions.
Another example is passing options to be executed on the command line. This can be extremely dangerous Another example is passing options to be executed on the command line. This can be extremely dangerous
(and is usually a bad idea), but you can use the built-in `escapeshellarg` function to sanitize the executed (and is usually a bad idea), but you can use the built-in `escapeshellarg` function to sanitize the executed