It seems I've come into a tricky situation with XSS where a user can use "javascript:something" to execute an XSS attack. Obviously htmlentities() does not work here. I could just replace "javascript:" with something else, however, that will not work because of some browsers. (Ex: Samy's Myspace XSS).
What would be the proper way to deal with a situation such as this?
XSS
-
ExtremeGaming
- Posts: 205
- Joined: Mon Jul 09, 2012 11:13 pm
XSS
<?php while(!$succeed = try()); ?>
-
FrederickGeek8
- Posts: 148
- Joined: Wed Nov 30, 2011 10:31 pm
Re: XSS
What is the context? Is this a user posting a URL or what?
You could always go a preg_replace() in PHP which would work everywhere cause it is server-side
You could always go a preg_replace() in PHP which would work everywhere cause it is server-side