Comments on: Cross Site Scripting: what it is, and how to prevent it http://buildingbrowsergames.com/2008/04/28/cross-site-scripting-what-it-is-and-how-to-prevent-it/ Ever wanted to build a browsergame? Wed, 10 Mar 2010 20:26:23 +0000 http://wordpress.org/?v=2.8.5 hourly 1 By: me http://buildingbrowsergames.com/2008/04/28/cross-site-scripting-what-it-is-and-how-to-prevent-it/comment-page-1/#comment-684 me Thu, 07 Jan 2010 03:07:59 +0000 http://buildingbrowsergames.com/?p=19#comment-684 I'd say that if someone has accessed your database and hand entered the data you have bigger problems than XSS attacks. Escaping before inputting into the database means you only need to escape once which makes things more efficient. Also use htmlspecialchars not htmlentities it does the same job but uses less resources. I'd say that if someone has accessed your database and hand entered the data you have bigger problems than XSS attacks. Escaping before inputting into the database means you only need to escape once which makes things more efficient. Also use htmlspecialchars not htmlentities it does the same job but uses less resources.

]]> By: ABDUKRAHMAN http://buildingbrowsergames.com/2008/04/28/cross-site-scripting-what-it-is-and-how-to-prevent-it/comment-page-1/#comment-508 ABDUKRAHMAN Wed, 14 Oct 2009 08:01:33 +0000 http://buildingbrowsergames.com/?p=19#comment-508 Woo this is a nice blog, i would love to read more.<br><br>Thanks<br>oemal<br>______________________________________________<br><a href="http://www.videogame911.com" target="_blank" rel="nofollow">xbox repair services</a> | <a href="http://www.insuranceraters.com" target="_blank" rel="nofollow">best auto insurance rates</a> | <a href="http://www.coatesdolan.com/" target="_blank" rel="nofollow">san miguel de allende real estate</a> Woo this is a nice blog, i would love to read more.

Thanks
oemal
______________________________________________
xbox repair services | best auto insurance rates | san miguel de allende real estate

]]> By: Luke http://buildingbrowsergames.com/2008/04/28/cross-site-scripting-what-it-is-and-how-to-prevent-it/comment-page-1/#comment-216 Luke Mon, 29 Dec 2008 17:56:31 +0000 http://buildingbrowsergames.com/?p=19#comment-216 Roy,<br>You could definitely do both - how much you allow or disallow is entirely up<br>to you. Roy,
You could definitely do both – how much you allow or disallow is entirely up
to you.

]]> By: Roy http://buildingbrowsergames.com/2008/04/28/cross-site-scripting-what-it-is-and-how-to-prevent-it/comment-page-1/#comment-215 Roy Sun, 28 Dec 2008 14:46:45 +0000 http://buildingbrowsergames.com/?p=19#comment-215 So why not simply do both? Make Account names viable if they are only Numbers and letters( ex A-Z, a-z, 0-9), no other char allowed, as well as escaping the repeating information? So why not simply do both? Make Account names viable if they are only Numbers and letters( ex A-Z, a-z, 0-9), no other char allowed, as well as escaping the repeating information?

]]> By: Luke http://buildingbrowsergames.com/2008/04/28/cross-site-scripting-what-it-is-and-how-to-prevent-it/comment-page-1/#comment-168 Luke Fri, 07 Nov 2008 00:36:43 +0000 http://buildingbrowsergames.com/?p=19#comment-168 While it would make sense to escape the username before it enters the<br>database, escaping it afterwards helps protect you against XSS attacks that<br>originate *from* your database - for example, if an attacker gained access<br>to your database and hand-entered the data.<br>Rejecting usernames that have special characters in them isn't a bad idea,<br>but it tends to confuse the user - which characters are invalid? Which<br>aren't? It would be more useful if you could tell them which characters were<br>not allowed. While it would make sense to escape the username before it enters the
database, escaping it afterwards helps protect you against XSS attacks that
originate *from* your database – for example, if an attacker gained access
to your database and hand-entered the data.
Rejecting usernames that have special characters in them isn't a bad idea,
but it tends to confuse the user – which characters are invalid? Which
aren't? It would be more useful if you could tell them which characters were
not allowed.

]]> By: Abraxas http://buildingbrowsergames.com/2008/04/28/cross-site-scripting-what-it-is-and-how-to-prevent-it/comment-page-1/#comment-167 Abraxas Thu, 06 Nov 2008 04:39:04 +0000 http://buildingbrowsergames.com/?p=19#comment-167 I agree that as a general rule this is excellent practice but for something like the user name wouldn't it make for sense to escape it before adding it to the database instead of every time it is displayed? In fact as part of my registration validation I compare the user name with the return from the escape function and if they're not equal I reject the name:<br><br>if ($username != htmlspecialchars($username)) {<br> $err = "name contains invalid characters";<br>} I agree that as a general rule this is excellent practice but for something like the user name wouldn't it make for sense to escape it before adding it to the database instead of every time it is displayed? In fact as part of my registration validation I compare the user name with the return from the escape function and if they're not equal I reject the name:

if ($username != htmlspecialchars($username)) {
$err = “name contains invalid characters”;
}

]]>