Page 1 of 1

XSS

Posted: Sat Mar 30, 2013 10:22 pm
by ExtremeGaming
It seems I've come into a tricky situation with XSS where a user can use "javascript:something" to execute an XSS attack. Obviously htmlentities() does not work here. I could just replace "javascript:" with something else, however, that will not work because of some browsers. (Ex: Samy's Myspace XSS).

What would be the proper way to deal with a situation such as this?

Re: XSS

Posted: Sun Mar 31, 2013 1:40 am
by FrederickGeek8
What is the context? Is this a user posting a URL or what?

You could always go a preg_replace() in PHP which would work everywhere cause it is server-side