As web is now the part of our life and we can’t think our daily works without www. For both users and developers, security is a key question. I would like to share some simple security points in this post, which are common.
- Cross Site Scripting(or XSS) is one of the most common application-layer web attacks. XSS commonly targets scripts embedded in a page which are executed on the client-side (in the user’s web browser) rather than on the server-side. An example of XSS may be as from user input. Suppose you put <textarea> on your site to get user input. But malicious user give input like this :
<script type="text/javascript"> window.locaton('http://example.com'); </script>
or it may be a unwanted alert message in javascript, which is not expected.So you definitely want to prevent this type of attack. I’m going to show the solution here in CodeIgniter. CodeIgniter has its built in input class.The example is below:
$data= $this->input->post('UserInput'); $data_xss = $this->input->xss_clean($data);
At first, you get user input by post method and now just pass that value to the function. if you print the final value, you will see the javascript code will be replaced by others like [removed].Now you can pass the value to database query or do anything with that value.
- Use htmlentities( ) for user input . It will convert all applicable characters to HTML entities like below.
$str = "A 'quote' is <b>bold</b>"; // Outputs: A 'quote' is <b>bold</b> echo htmlentities($str);
Some useful links for best practices and security:
- http://bit.ly/5W1yoi
- http://bit.ly/c3KxsL
- http://bit.ly/7I4A
Cheers and practice with best approach. 🙂