Jump to content

Cross Site Scripting Help

rfresh

By rfresh
in HTML Help

Recommended Posts

rfresh Newbie

rfresh

Posted
Posted

My website failed a PCI scan because of cross site scripting. The report gave an example of the code:

 

http://www.mywebsite.com:80/?<SCRIPT>foo</SCRIPT>

 

I don't understand how to code against this security failure. My site has an index.php file so I'm assuming I have to add some code in that file since the domain URL defaults to using that file.

 

I have a sanitize function being used on all the fields coming from the index.php file already. But I guess I'm still missing something.

 

Thanks for any help...

Link to comment
https://forums.phpfreaks.com/topic/233171-cross-site-scripting-help/
Share on other sites
cssfreakie Regular Member

cssfreakie

Posted
Posted

This is a php question as far as I can tell.

 

May I assume you used $_SERVER['PHP_SELF']  somewhere?

 

if so have a look here: http://www.phpro.org/tutorials/PHP-Security.html

Let us know if that was what you were looking for

rfresh Newbie

rfresh

Posted
  • Author
Posted

>May I assume you used $_SERVER['PHP_SELF']  somewhere?

 

No I'm not using this.

 

My index.php file doesn't take any arguments. As the home page file, it just contains links to get to the other php pages on my site. I think that's what is confusing me here.

 

mywebsite.com?.script.foo.endscript shows up where? Should I just null any $_POST parameters that come from my index.php file? If so, how would I do that?

 

I'm having a hard time understanding what is happening here.

 

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.