XSS Countermeasures
XSS Countermeasures
- Golden Rule #2: "Escape Output"
-
- Very difficult to filter input
- htmlentities (string, ENT_QUOTES, 'UTF-8')
-
- Convert all applicable characters to HTML entities
- htmlspecialchars
-
- Convert just special [& " ' < >] characters to HTML entities
- Alternate Markup language for embeded tags
-