stackoom
  简体   繁体   中英

Prevent XSS attacks when echoing HTML using PHP

 原文  2021-05-10 13:33:18       javascript/ php/ xss

Question

I have a simple bimple function which echoes this:

echo '<button name="wooba" onclick="alert(this.name)">Say name</button>'

This just works fine, but If a user edits the HTML using a Chrome or Firefox, he can modify the code to output something like:

echo '<button name="wooba" onclick="alert('XSS :D')">Say name</button>'

I have set the only http on the php ini relating the cookies, but is there any way to prevent the user from modifying and successfully changing the site's javascript?

Thanks!

1 answers

solution1
 1 ACCPTED  2021-05-10 13:39:22

Once the document reaches a user's browser it is theirs to manipulate how they like. This in itself isn't XSS. An XSS exploit exists when a bad actor can inject a script in other people's document. In your example, so long as this.name doesn't come from user input you don't have a problem.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question PHP: How to totally prevent XSS attacks? Need to prevent XSS attacks? angularjs prevent XSS attacks Avoiding XSS attacks when storing HTML Avoiding XSS when echoing POSTed HTML How to handle HTML blocks in the parameters of the REST query to prevent XSS attacks? Prevent XSS attacks site-wide Angular - how to prevent XSS attacks in RxJs fromEvent? Prevent input type from XSS attacks Does https secure cookies prevent XSS attacks?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM