Security
  Home arrow Security arrow Page 5 - A Quick Look at Cross Site Scripting
Dev Shed Forums 
Administration  
Apache  
BrainDump  
DHTML  
Flash  
Java  
JavaScript  
Multimedia  
MySQL  
Oracle  
Perl  
PHP  
Practices  
Python  
Reviews  
Security  
Style-Sheets  
Web Services  
XML  
Zend  
Zope  
Forums Sitemap 
IBM® developerWorks 
Dedicated Servers 
E-Commerce Hosting 
Linux Web Hosting 
Managed Hosting 
Small Business Hosting 
Download TestComplete 
VPS Hosting 
Weekly Newsletter

 
Developer Updates  
Free Website Content 
IBM Rational Software Development Conference
 RSS  Articles
 RSS  Forums
 RSS  All Feeds
Write For Us Get Paid 
Request Media Kit
Contact Us 
Site Map 
Privacy Policy 
Support 
 USERNAME
 
 PASSWORD
 
 
  >>> SIGN UP!  
  Lost Password? 
SECURITY

A Quick Look at Cross Site Scripting
By: Alejandro Gervasio
  • Search For More Articles!
  • Disclaimer
  • Author Terms
    		•
    Rating: 5 stars5 stars5 stars5 stars5 stars / 43
    2005-01-04

    Table of Contents:
  • A Quick Look at Cross Site Scripting
  • What is Cross Site Scripting?
  • Going deeper into JavaScript
  • The hidden link
  • Preventing Cross Site Scripting
  • Coding for our safety
    		•

    Rate this Article: Poor Best 
      ADD THIS ARTICLE TO:
      Del.ici.ous Digg
      Blink Simpy
      Google Spurl
      Y! MyWeb Furl
    Email Me Similar Content When Posted
    Add Developer Shed Article Feed To Your Site
    Email Article To Friend
    Print Version Of Article
    PDF Version Of Article
    		 
     
     
    ADVERTISEMENT

    Stay one step ahead of the competition. Evaluate and give feedback on some of the hottest web development tools on the market today. Make your opinion heard! Click Here

    A Quick Look at Cross Site Scripting - Preventing Cross Site Scripting
    (Page 5 of 6 )

    First off, we need to follow simple and straight rules, applicable to common scenarios, where user input is always involved.

    Always, all the time, and constantly (pick your term), check to ensure what’s coming from POST and GET requests. However obvious, you should never pass by these steps.

    If a specific and particular type of data is expected, check to ensure that it’s a really valid type and that its of the expected length. Whatever programming language you’re using will give you the possibility and the power to do that easily.

    Whenever possible, use client-side validation for adding extra functionality to user input checking. Please note that JavaScript validation cannot be used on its own for checking data validity, but it may help to discourage some evil-minded visitors from entering malicious data while providing useful assistance to other well-intended users.

    Remove conflicting characters from user input. Search for < and > characters and make sure they're quickly removed. Single and double quotes must be escaped properly too. Many professional websites fail when dealing with character escaping. I hope you won’t.

    We might go on endlessly, with numerous tips about validating user data, but you can get a lot more from just checking some other useful tutorials and articles. For the sake of this article, we’ll show an example to prevent Cross Site Scripting using PHP.

    Next: Coding for our safety >>
     

    More Security Articles
    More By Alejandro Gervasio


       · Woah, the possibilities of this have never crossed my mind. Great article!
       · Um, how is this solution better than using such built-in PHP functions as...
       · I always use this:<?php/** * Remove slashes, tags and ASCIIZ from GET,...
       · You *never* *ever* do something like:echo $_GET['variable'];this does not...
       · Hello,I'm the author of the article.Cheers.I totally agree that echoing GET...
       · Hello,Because I wrote the article, I must thank you for the comment. It's great...
       · Hello again,Also,it's worthy considering that JavaScript embbeded into links, is...
       · I don't think this article creates a real scary threat, If you use javascript to...
       · Hello,Thank you for commenting on my article. With regard to your comment I must...
       · the problem is you're not actually *validating* your input. You're just altering it...
       · Thank you for your comments on this article. Well, you're correct when you say the...
       · First it need to be noted that no php security scripting will replace a improperly...
       · whichever admin reviewed the above scripts i submitted screwed them up.there...
       · here is the second one that requires CCISECURITY.PHP<?php####### ...
       · here is the third one i mentioned .it is a stand-alone secueirty class providing...
       · Thank you for posting this extremely useful set of classes with reference to...
       · As I posted before, I greatly appreciate the group of excellent classes you listed...
     
    >>> Post your comment now!

       

    SECURITY ARTICLES

    - An Epilogue to Cryptography
    - A Sequel to Cryptography
    - An Introduction to Cryptography
    - Security Overview
    - Network Security Assessment
    - Firewalls
    - What’s behind the curtain? Part II
    - What’s behind the curtain? Part I
    - Vectors
    - PKI: Looking at the Risks
    - A Quick Look at Cross Site Scripting
    - PKI Architectures: How to Choose One
    - Trust, Access Control, and Rights for Web Se...
    - Basic Concepts of Web Services Security
    - Safeguarding the Identity and Integrity of X...
    Find More Security Articles
     
    Accelerating Trading Partner Performance
     
    Competing on Analytics
     
    Cost Effective Scaling with Virtualization and Coyote Point Systems
     
    Five Checkpoints to Implementing IP Telephony
     
    Hosted Email Security: Staying Ahead of New Threats
     




    © 2003-2008 by Developer Shed. All rights reserved. DS Cluster 2 hosted by Hostway