I have done scanning of my PHP code using AppScan Source tool( from HCL Software) and find that there are almost 350 XSS type issues of various patterns.
Wondering what is the good way in PHP to fix them? Most of them are due to html that we echo or add dynamically.
Example line that has XSS in scan is as given below
echo '<OpenSearchDescription xmlns="http://a9.com/-/spec/opensearch/1.1/" xmlns:moz="http://www.mozilla.org/2006/browser/search/">'
XSS stands for Cross-Site Scripting these are attacks. A type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.
We want to prevent this from happening. Since you are using PHP this won't be resolved using http://htmlpurifier.org/ . You'll have to use another method. What you can try are the following options:
These are simple steps to prevent an XSS attack from happening:
I'll include two short examples of encoding in PHP here: You could try the htmlspecialchars I suggested to you earlier. I'll give an example with the line of code you gave is on your question.
echo '<OpenSearchDescription xmlns="http://a9.com/-/spec/opensearch/1.1/" xmlns:moz="http://www.mozilla.org/2006/browser/search/">'
Would be changed to:
echo htmlspecialchars('<OpenSearchDescription xmlns="http://a9.com/-/spec/opensearch/1.1/" xmlns:moz="http://www.mozilla.org/2006/browser/search/">', ENT_QUOTES, 'UTF-8');
You could also use a html encoder and place this inside an echo for example:
echo "<OpenSearchDescription xmlns="http://a9.com/-/spec/opensearch/1.1/" xmlns:moz="http://www.mozilla.org/2006/browser/search/">"
These all give the output: <OpenSearchDescription xmlns="http://a9.com/-/spec/opensearch/1.1/" xmlns:moz="http://www.mozilla.org/2006/browser/search/">
.
Here is a short explantion about what XSS does. In a Cross-site Scripting attack (XSS), the attacker uses your vulnerable web page to deliver malicious JavaScript to your user. The user's browser executes this malicious JavaScript on the user's computer. Note that about one in three websites is vulnerable to Cross-site scripting.
Google Code University also has these very educational videos on Web Security:
How To Break Web Software - A look at security vulnerabilities in web software
What Every Engineer Needs to Know About Security and Where to Learn It
EDIT: This website may also help you. http://htmlpurifier.org/ <- this rewrites your code. As said in a review by IRIS: "I'd just like to say we use HTML Purifier in IRIS for filtering emails against XSS attacks and we've been more than impressed.". Take a look into it, it might help you out.
This PHP function can help you sanitize and remove all JavaScript and allow everything else. It's a great PHP function https://stackoverflow.com/a/70807494/10666501
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.