thryb Posted November 5, 2007 Share Posted November 5, 2007 Hi guys, Lets say there is a xss vuln in my script at http://www.domain.com/file/"><marquee><h1>vulnerable How can I fix it ? I have no trouble with fixing the one that affect a variable ie file.php?var=xxx But how do I fix the one right at the end of a file like the one up here? I dont get the /">. Thanks in advance! Link to comment https://forums.phpfreaks.com/topic/76088-solved-fixing-xss/ Share on other sites More sharing options...
Azu Posted November 6, 2007 Share Posted November 6, 2007 Simple Wherever you echo/print user submitted data, just be sure to escape it with something like htmlspecialchars So instead of echo $_GET['variable']; do echo htmlspecialchars($_GET['variable']); This also applies to $_POST and $_SERVER and data retrieved from databases (if people can put stuff into the database, such as in a forum system for example). Link to comment https://forums.phpfreaks.com/topic/76088-solved-fixing-xss/#findComment-385738 Share on other sites More sharing options...
thryb Posted November 6, 2007 Author Share Posted November 6, 2007 Yes that I understand, but in that case http://www.domain.com/file/"><marquee><h1>vulnerable there is no variable posted? or is it simply $_GET['']? Link to comment https://forums.phpfreaks.com/topic/76088-solved-fixing-xss/#findComment-385749 Share on other sites More sharing options...
Azu Posted November 6, 2007 Share Posted November 6, 2007 $_GET['file'] maybe. Not sure. Post the PHP code that is outputting it and I can tell you. Link to comment https://forums.phpfreaks.com/topic/76088-solved-fixing-xss/#findComment-385751 Share on other sites More sharing options...
MadTechie Posted November 6, 2007 Share Posted November 6, 2007 i assume you are using .htaccess something like Redirect /blar/file/ /?file= check that and get the variable Link to comment https://forums.phpfreaks.com/topic/76088-solved-fixing-xss/#findComment-385754 Share on other sites More sharing options...
thryb Posted November 6, 2007 Author Share Posted November 6, 2007 Ok I found out ... thanks both of you for your help! Didnt think about the .htaccess, there was one of my $_GET that wasnt htmlspecialchars and I forgot it was directed by my htaccess Thanks again for your help Link to comment https://forums.phpfreaks.com/topic/76088-solved-fixing-xss/#findComment-385760 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.