Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Using CodeIgniter General Help Preventing non-persistent XSS attacks
Preventing non-persistent XSS attacks
  • Online kenjis
    Administrator
  • *******
  • Posts: 3,488
    Threads: 94
    Joined: Oct 2014
    Reputation: 216
#4
09-23-2021, 05:18 PM
(This post was last modified: 09-23-2021, 05:22 PM by kenjis.)

In controllers:
PHP Code:
foreach($_GET as $key => $param) {
    $_GET[$key] = htmlentities($paramENT_QUOTES ENT_HTML5'UTF-8');


It is a bad practice.
Escape just before outputting.
Because escaping depends on the context (in this case HTML output).
(09-23-2021, 01:24 AM)jhob Wrote: It's the browser that's executing the code, so I'm not sure that doing anything in PHP can prevent that.  I'm wondering if it could somehow detect any malicious content and redirect to a 'safe' url.

If the browser's JavaScript reads the query string in the URL and execute something and you get the popup,
you need to fix the JavaScript code.
ci-phpunit-test | CodeIgniter Testing Guide | CodeIgniter 3 to 4 Upgrade Helper
Reply


Messages In This Thread
Preventing non-persistent XSS attacks - by jhob - 09-23-2021, 12:41 AM
RE: Preventing non-persistent XSS attacks - by kenjis - 09-23-2021, 05:18 PM



Theme © iAndrew 2016 - Forum software by © MyBB