XSS, a simple attack, but can ruin your web easily. To perform this attack, simply just type
<script>alert('XSS')</script> at your fictim's comment form. If you find this notification:
Congrats, you found a vulnerable site, and you officially become a bug hunter. XD.
Back to securing the form. There are 3 methods that i know to securing your input form form XSS:
Simple one. Check the input if the input not contain something suspicious. If you find it, you can reject the input.
For do this in PHP, you can use
strip_tags. Here is the example:
<?php $input = '<script src = "http://evil.com/some/evil/source"></script> Some comments'; echo strip_tags($input); ?>
And, here is the result:
You can sanitaze the input using a simple replace function. Simply, just replace
< (unicode symbol for
<). If you display
< as the unicode, the XSS syntax will'nt run, and printed as normal string.
Yeah, that's my tips, Do you have any tips that i don't write here, you can add it down in the comment 👇.
Thanks for read, and bye! 👋.