Entries (RSS)  |  Comments (RSS)

Site Insecurity

Over at Chris Shiflett’s blog (he’s the author of Essential PHP Security) he’s got a nice writeup on foiling cross-site scripting attacks on web sites.

While this is an older article ( from 2004 ), it still addresses many dangerous issues that developers continue to create in production code.

One of our developers here recently wrote a fairly large scripting system to deliver advertising to customers that was vulnerable to at least four XSS attacks, and I spent a fair amount of time sanitizing input and securing her code.

Do you accept input from users? Are you ensuring that you strip_tags (to block XSS/XSRF), escaping strings (to block SQL injection) and sanitizing all user input before storing or displaying it? If not, you might be vulnerable.

This entry was posted on Monday, January 7th, 2008 at 1:32 pm and is filed under application security, security, web development. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

  • Jason
    htmLawed , a highly customizable, single-file PHP script to filter disallowed or illegal HTML tags (and attributes and URL protocols), balance tags, and so on. Useful to sanitize input against XSS attacks too.
blog comments powered by Disqus