Prevent XSS Attacks. Escape Strings in PHP

Поділитися
Вставка
  • Опубліковано 3 жов 2024

КОМЕНТАРІ • 25

  • @biscuitcubed2804
    @biscuitcubed2804 9 років тому +2

    Wow this is exactly what I have been looking for and it popped up in my inbox!

    • @john.morris
      @john.morris  9 років тому

      Cugru Cubing Lol. Glad to hear!

  • @apseh721
    @apseh721 9 років тому

    Nice video as always John. The great thing was the very clear explanation between htmlentities and htmlspecialchars. Great !

  • @clementpetit6134
    @clementpetit6134 7 років тому +6

    Play this at a speed of 1.25 if you think he speaks too slow

  • @DawnOfTheDead991
    @DawnOfTheDead991 9 років тому

    The trouble with htmlentities is that if there is an html entity in the input stream, it will convert the lead ampersand , &, to &, thereby ruining all the input entities

  • @JayRGabz
    @JayRGabz 5 років тому +1

    nice explanation.. :D great

  • @mr.techno-era7474
    @mr.techno-era7474 7 років тому

    We can also prevent XSS attack by just using strips_tag() function!! Whats your opinion on it??

  • @TiffaniJameson
    @TiffaniJameson 9 років тому

    Thank you very much for this! I'm a self taught newbie so bear with me. This script, should it be included in an existing php file, say for a form, or should it be created?

  • @KarlBrouillette
    @KarlBrouillette 8 років тому

    Hi John, I really like the video and I know how much work goes into it doing them. Nice job!
    I did want to mention that you compare htmlentities and htmlspecialchars as hammer vs surgical in solving XSS. I am fairly certain that both were not strictly intended to thwart XSS but both have addresses the need of displaying HTML on a webpage without it being interpreted as HTML. But as escaping became required, these function also fill the need quite well.
    As for htmlentities being a hammer. Being francophone I know all to well the need for entities when accented characters are in use. So htmlentities is required when displaying accented characters regardless of XSS. So not really XSS specific.
    On the subject of XSS, it appears to me we should store the data after first processing it since it although it is escaped when presented on the indented site, it may also be displayed when consulting the DB with tools such as PhpAdmin or other custom solutions. Do you see a downside?

    • @john.morris
      @john.morris  8 років тому

      +Karl Brouillette I've never seen a program use htmlentities or htmlspecialchars on the way IN to a database. Of course, you do database escaping to protect against injection attacks, etc... but for preventing XSS attacks you want to escape at the point the text is being output so you know the final output is escaped.

    • @KarlBrouillette
      @KarlBrouillette 8 років тому

      +John Morris Thanks John!
      I understand that the concern is when our data is being output by our Php code so we escape it. But if using browser based tools which we did not develop, similar to PhpAdmin, then that tool could be outputting it without escaping. Locally, this is probably not an issue, but when using these browser based tools of your web hosting provider, that could result in an un handled XSS attack. Maybe I am missing something.
      In any case, thank you I like your work. I'll experiment on my end to further improve my knowledge.

  • @anthonyleong3011
    @anthonyleong3011 6 років тому +1

    Great tutorial ,
    I would like to ask one question
    In my site , I am using htmlspecialchars to sanitize user input , do I still need to use htmlspecialchars for the prevention of Xss ? Thanks

    • @mibrahim4245
      @mibrahim4245 4 роки тому

      That's enough, I use it on user input then store it in the database, when I echo I dont use anything! ..
      ** I tried to use it on echo as well but it showed the characters un-encoded ! like if any user writes double quotes or single quotes it will echo a bunch of weird characters which we dont want ! ..

  • @Khapa123
    @Khapa123 8 років тому

    dear john I have make a form on which users can view their own data after login but there is a problem that if someone chnge the id number on URL then its show the others data based on the id number how to overcome from it?

  • @papakushi
    @papakushi 8 років тому

    Could this prevent an xss attack that is encoded?

  • @RSTao77432
    @RSTao77432 6 років тому

    Hi dude, You have this

  • @riberycr7
    @riberycr7 8 років тому

    Nice video...
    I am quite new with php i write mostly with jsp
    the question i want to ask you is:
    With jsp it goes like this to prevent XSS
    String str="alert(11);";
    Encoder XSS = ESAPI.encoder();//OWASP library
    str = XSS.canonicalize(str); // encoding to one form ,if UTF-8,UTF-16 .....
    str = XSS.encodeForHTML(str); // and then encoded for HTML
    Did the code with php encode the "input" to one form?if i gave another encoding is this way going to prevent XSS??and not just filtering / ....
    Thanks allot for the video...

  • @sonabarbhuiya5463
    @sonabarbhuiya5463 5 років тому

    Please can anyone help me,because I tried to stop my data form from submitting but anything does not work i always backup and reset my mobile and even clean with antivirus,and many things I tried but anything does not work when I search anything from Google it shows (CONFIRM FORM RESUBMISSION The Web page requires data that you entered earlier in order to be properly displayed.You can send this data again,but by doing so you will repeat any action this page previously performed Reload this web page, Press the Reload button to resubmit the data needed to load the page) somebody has stolen my password my bank account numbers and email password everything even somebody open my Facebook account when I'm offline and messages my friends and when I see security and login and I find my Facebook is logged in with different device like computer,and unknown device which Facebook don't find, the place that Facebook was logged in ,that place i never visit like Mumbai, Delhi, kolkata,pune,hyderabad and now near by places like assam tinsukia, near gauhati and these place i even don't know - Dibrugarh,India. Sual kuchi, India. Sonitpur,India. I'm tired so please help to remove the form submission

  • @nunyadambidnis2274
    @nunyadambidnis2274 7 років тому

    what ide are you using?

  • @DawnOfTheDead991
    @DawnOfTheDead991 9 років тому

    why not use strip_tags instead?

    • @john.morris
      @john.morris  9 років тому

      Because that strips it all together. There can be legitimate cases for displaying it while not rendering it... like displaying source code in a blog post for example.

    • @DawnOfTheDead991
      @DawnOfTheDead991 9 років тому

      John Morris True dat. But htmlentities() will ruin all the html entitiews, ironic

    • @akaHyped
      @akaHyped 8 років тому

      +DawnOfTheDead991 who cares? lol

    • @akaHyped
      @akaHyped 8 років тому

      troll? I'm saying "who cares" because nobody is even getting affected on the user end so why would it matter at ALL? Your use of irony is incorrect.

    • @akaHyped
      @akaHyped 8 років тому

      ***** what are you talking about? I'm referring to when you said "htmlentities() will ruin all the html entitiews" so I said "who cares".. Prove me wrong .... who would care (except an attacker) that the developer used htmlentities.
      Also you saying "XSS injections can insert unwanted JavaScript into your browser, so yeah it affects the user" is like saying humans need air to breath LMFAO obviously