Announcement Announcement Module
No announcement yet.
What is Cross Site Scripting or XSS and How Can You Fix it? Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • What is Cross Site Scripting or XSS and How Can You Fix it?

    XSS stands for cross-site scripting and is a type of vulnerability generally says, you have some web site which doesn't filter user input or escape output, then attacker exploits that fact by entering some malicious client side code which browsers can execute.

    There are two types of XSS attacks: stored (malicious code is saved on the server, and then sent to the end users, without proper encoding) and reflected (malicious code is usually sent to the server in GET or POST parameters in http request, and the server returns that code in response, without proper encoding).

    Reflected type attacks are more common, and they are often carried out by sending malicious links to the end users. Code, which can be any hyper link, or as a hiiden frame or something else,and will be executed on target site and steal the cookies, read sensitive data, or whatever attackers wants to do.

    Let's see how popular php frameworks handle XSS filter.

    Yii- output escaping with integrated HTMLPurifier

    Kohana2 - input filtering / global XSS filter

    Kohana3 - input filtering, they recommend output escaping with HTMLPurifier, but it's not included

    CodeIgniter - input filtering / global XSS filter

    Zend Framework - custom output escaping

    Here is how we can use xss filtering in Codeignitor.

    $data = $this->security->xss_clean($data);

    If you want the filter to run automatically every time it encounters POST or COOKIE data, then open your application/config/config.php file and set this:

    $config['global_xss_filtering'] = TRUE;

    Note: In Codeignitor, if you use the form validation class, it gives you the option of XSS filtering as well.

    An optional second parameter, is_image, allows this function to be used to test images for potential XSS attacks, useful for implementing file uploading. When this second parameter is set to TRUE, the function returns TRUE if the image is safe, and FALSE if it contained potentially malicious information that a browser may attempt to execute.

    if ($this->security->xss_clean($file, TRUE) === FALSE)
    // file failed the XSS test

    Yii Framework XSS filter example:

    public function actionHtmlPurifier(){
    $user_input = null;
    if (isset($_POST['user_input'])){
    $user_input = $_POST['user_input'];
    $parser=new CHtmlPurifier(); //create instance of CHtmlPurifier
    $user_input=$parser->purify($user_input); //we purify the $user_input
    $this->render("htmlpurifier", array('user_input'=>$user_input));
    The CHtmlPurifier component used here can also be used as a widget.When used as a widget, CHtmlPurifier will purify contents displayed in its body in a view. For example,

    <?php $this->beginWidget('CHtmlPurifier'); ?>
    /* user-entered content here */
    <?php $this->endWidget(); ?>
    With URL's you can use something like this. <a href="<?php htmlencode(filter_var($url, FILTER_VALIDATE_URL)); ?>">url description</a>

    Javascript Implementation: -

    alert('<?php echo htmlencode(json_encode($untrusted_data)); ?>'); //json_encode will escape dangerous javascript
    CSS implementation (This will escape dangerous characters with \HH format. ) :-

    <div style="background-color: '<?php echo cssencode($untrusted_data); ?>';"></div>
    div { background-color: '<?php echo cssencode($untrusted_data); ?>'; }
    function cssencode($str) {
    $str = HTMLPurifier_Encoder::cleanUTF8($str);
    $translate = array();
    $chars = array(32, 37, 42, 43, 44, 45, 47, 59, 60, 61, 62, 94, 124);
    foreach($chars as $i) {
    $translate[chr($i)] = "\\" . str_pad(dechex($i), 2, '0', STR_PAD_LEFT);
    return str_replace(array_keys($translate), array_values($translate), $str);
    } ?>
    Happy coding.

    Thank you.
    Last edited by nirmal; 17th April 2014, 06:18 AM.
Tag Cloud Tag Cloud Module