Cross Site Scripting Help

[rfresh]

My website failed a PCI scan because of cross site scripting. The report gave an example of the code:

 

http://www.mywebsite.com:80/?<SCRIPT>foo</SCRIPT>

 

I don't understand how to code against this security failure. My site has an index.php file so I'm assuming I have to add some code in that file since the domain URL defaults to using that file.

 

I have a sanitize function being used on all the fields coming from the index.php file already. But I guess I'm still missing something.

 

Thanks for any help...

[raindropz12]

Can you post your code? I think you missed htmlentities().

[cssfreakie]

This is a php question as far as I can tell.

 

May I assume you used $_SERVER['PHP_SELF']  somewhere?

 

if so have a look here: http://www.phpro.org/tutorials/PHP-Security.html

Let us know if that was what you were looking for

[rfresh]

>May I assume you used $_SERVER['PHP_SELF']  somewhere?

 

No I'm not using this.

 

My index.php file doesn't take any arguments. As the home page file, it just contains links to get to the other php pages on my site. I think that's what is confusing me here.

 

mywebsite.com?.script.foo.endscript shows up where? Should I just null any $_POST parameters that come from my index.php file? If so, how would I do that?

 

I'm having a hard time understanding what is happening here.