37
Securing Your Comment Form From XSS Attack.
XSS, a simple attack, but can ruin your web easily. To perform this attack, simply just type <script>alert('XSS')</script>
at your fictim's comment form. If you find this notification:
Congrats, you found a vulnerable site, and you officially become a bug hunter. XD.
Back to securing the form. There are 3 methods that i know to securing your input form form XSS:
Simple one. Check the input if the input not contain something suspicious. If you find it, you can reject the input.
For do this in PHP, you can use strip_tags
. Here is the example:
<?php
$input = '<script src = "http://evil.com/some/evil/source"></script> Some comments';
echo strip_tags($input);
?>
And, here is the result:
Some comments
You can sanitaze the input using a simple replace function. Simply, just replace <
with <
(unicode symbol for <
). If you display <
as the unicode, the XSS syntax will'nt run, and printed as normal string.
Yeah, that's my tips, Do you have any tips that i don't write here, you can add it down in the comment π.
Thanks for read, and bye! π.
37