I've found a "database" of many XSS attacks and while this list provides quite a big list of attacks are there are any other attacks that didn't fall in the XML, what to look out for and most unexpected?
+2
A:
Not sure exactly what you're looking for, but if you want to prevent XSS attacks on your site, I would say don't allow HTML at all. If you want to allow HTML, see how StackOverflow does it.
You might find a few things that the other site missed here.
ZZZzzz
2009-07-06 03:30:47
Also... Never allow HTML without a whitelisting approach. Don't roll your own whitelisting library, just use one of the standard ones.
Joeri Sebrechts
2009-07-06 07:29:20
+1
A:
It is a very extensive topic and need detailed and up to date knowledge of the techniques used by hackers for accomplishing XSS. But to begin with you should not trust anything user inputs. Take it as potential attempt to hack your site or corrupt your database.
You can use many cleaning tools available to remove potential malicious input like:
for asp.net Microsoft Anti-XSS library, HTML Agility Pack from codeplex.
for PHP you can certainly use HTMLPurifier. It is very nice and capable tool.
TheVillageIdiot
2009-07-06 03:53:25
+3
A:
I've used HTML Purifier to allow users to input only specific, safe, HTML into comment text boxes before. It does a very nice job, and has very good documentation.
For everything else, like a simple text box, or select box, when writing the value to the page I always run it through htmlentities():
htmlentities ($_POST['email'], ENT_QUOTES);
As long as all user submitted data is always written to the page using htmlentities() you should never have an XSS problem.
Ty
2009-07-06 11:33:40