XSS vulnerabilities and protection
Dynamic websites actively work with data received from users. That is, in fact, almost all the information on the site was added there by the users themselves. A good example of such a site is a forum. Any forum for 99.9% consists of information published there by users.
But every time users are presented with any capabilities, you need to be prepared to use those capabilities for other purposes. Thus, forms for publishing content can be used not to send harmless texts, but to infect your site with malicious code.
Any information received from the user must be filtered before being displayed in the template! Filtering means applying a set of rules to this information that will clean up and prepare it for publication on the site. We are filtering information to prevent the appearance of an XSS vulnerability on our website.
XSS is a type of vulnerability that is inherent in web applications.
This attack on the site consists in injecting malicious JS code into the issued page. This becomes possible due to insufficient filtering of data received from the user.
- The site has a form for posting a message.
- Through this form, the hacker sends JS code instead of plain text.
- The message is published on a page that is available to all visitors.
- The malicious code is executed for every visitor to this page.
- The malicious script harms the site users. For example, it steals their cookies.
Replacing dangerous symbols
The problem is clear. We need to secure the page by filtering out information from the form. But how to filter so as not to lose the text, but at the same time deprive the hacker of the opportunity to harm us?
This is where HTML mnemonics come in handy.
A mnemonic is a code representation of a character in HTML that begins with an ampersand "&" and ends with a semicolon ";".
There is another option for filtering: simply cut all tags from the text. No tags - no problem.
Htmlspecialchars filtering function
Let's move on to practice. In the PHP script, add a function call that will filter the passed string and replace all dangerous characters in it with appropriate HTML mnemonics. This function is called
This is how her work looks like: