Jump to content

Recommended Posts

Pretty much any time you're outputting dynamic content, it needs to be escaped first. Whether that content comes from your database, an XML feed, an external API, whatever... it needs to be escaped.

 

If you let a user input data into your database, then you need to be escaping it when you display it back onto your website somewhere. If not, then the user could type HTML or Javascript and thus you have an XSS vulnerability. Right now, you're escaping before it gets to your database. Typically this isn't the way to go. It's better to escape as close to output as possible, as that way you are sure that all content, no matter its origin, is safe to display.

 

It's better to escape as close to output as possible, as that way you are sure that all content, no matter its origin, is safe to display.

 

I'd like to implement that from here on out.

 

Just as a refresher, to do that what would I do?

 

Query the database for the information, pass it through the escape function and then output that? Is that enough or ?

 

XSS is a real acronym? cross-site scripting, hmm nice

I'd like to implement that from here on out.

 

Just as a refresher, to do that what would I do?

 

Query the database for the information, pass it through the escape function and then output that? Is that enough or ?

 

XSS is a real acronym? cross-site scripting, hmm nice

Yes, if you run your output variables through htmlspecialchars() first you'll be safe. You could also use a templating library such as Twig, which automatically sanitizes output data.

 

XSS stands for cross-site scripting, yes. Cross-site scripting is when a user is able to inject client-side code into your page.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.