XSS

Ask about a PHP problem here.
Post Reply
ExtremeGaming
Posts: 205
Joined: Mon Jul 09, 2012 11:13 pm

XSS

Post by ExtremeGaming »

It seems I've come into a tricky situation with XSS where a user can use "javascript:something" to execute an XSS attack. Obviously htmlentities() does not work here. I could just replace "javascript:" with something else, however, that will not work because of some browsers. (Ex: Samy's Myspace XSS).

What would be the proper way to deal with a situation such as this?
<?php while(!$succeed = try()); ?>
User avatar
FrederickGeek8
Posts: 148
Joined: Wed Nov 30, 2011 10:31 pm

Re: XSS

Post by FrederickGeek8 »

What is the context? Is this a user posting a URL or what?

You could always go a preg_replace() in PHP which would work everywhere cause it is server-side
Post Reply