I want to prevent cross-site scripting attacks in web applications I make. If someone could provide me with some suggestions and advice, it would be really helpful.
Dani 4,329 The Queen of DaniWeb Administrator Featured Poster Premium Member
I briefly answered your question here by saying:
To prevent cross-site scripting attacks, you similarly want to make sure that all text derived from user-generated input is HTML escaped. If using PHP, you can use the
htmlspecialchars()function.
It really is that simple, if you're using PHP. I do see you tagged this code Javascript, so here's a quick JS function I found on this page of SO that you can use:
function escape(s) {
let lookup = {
'&': "&",
'"': """,
'\'': "'",
'<': "<",
'>': ">"
};
return s.replace( /[&"'<>]/g, c => lookup[c] );
}
console.log(escape("<b>This is 'some' text.</b>"));As you can see, all it takes to escape HTML code is to replace &, ", ', < and >. Ampersand, double quote, single quote, less than, and greater than are kinda like reserved characters in HTML. Once you escape those, no one can inject user-generated content to execute HTML or JS on your page that you don't want it to, which is what an XSS attack is.
gottaloveit 32 Newbie Poster
In whatever code language is running on the server, use a well known database library that is well documented and features XSS aka sql injection prevention.
webhostingworld 0 Newbie Poster
Minimize the use of inline JavaScript within your HTML code. Instead, use external JavaScript files and scripts to separate content from functionality.Ensure that sensitive cookies have the HttpOnly and Secure flags set.
Be a part of the DaniWeb community
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.