security - What are the best practices for avoiding xss attacks in a PHP site -
i have php configured magic quotes on , register globals off.
i best phone call htmlentities() outputing derived user input.
i seach database mutual things used in xss attached such as...
<script what else should doing , how can create sure things trying always done.
escaping input not best can successful xss prevention. output must escaped. if utilize smarty template engine, may utilize |escape:'htmlall' modifier convert sensitive characters html entities (i utilize own |e modifier alias above).
my approach input/output security is:
store user input not modified (no html escaping on input, db-aware escaping done via pdo prepared statements) escape on output, depending on output format utilize (e.g. html , json need different escaping rules) php security xss
No comments:
Post a Comment