Databases
StackOverflow2013
Postsdbo
POPHP XSS sanitization
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POPHP XSS sanitization
    text
    copied!<p>Questions:</p> <p>What are the best safe1(), safe2(), safe3(), and safe4() functions to avoid XSS for UTF8 encoded pages? Is it also safe in all browsers (specifically IE6)?</p> <pre><code>&lt;body&gt;&lt;?php echo safe1($xss)?&gt;&lt;/body&gt; &lt;body id="&lt;?php echo safe2($xss)?&gt;"&gt;&lt;/body&gt; &lt;script type="text/javascript"&gt; var a = "&lt;?php echo safe3($xss)?&gt;"; &lt;/script&gt; &lt;style type="text/css"&gt; .myclass {width:&lt;?php echo safe4($xss)?&gt;} &lt;/style&gt; </code></pre> <p>.</p> <p>Many people say the absolute best that can be done is:</p> <pre><code>// safe1 &amp; safe2 $s = htmlentities($s, ENT_QUOTES, "UTF-8"); // But how would you compare the above to: // https://github.com/shadowhand/purifier // OR http://kohanaframework.org/3.0/guide/api/Security#xss_clean // OR is there an even better if not perfect solution? </code></pre> <p>.</p> <pre><code>// safe3 $s = mb_convert_encoding($s, "UTF-8", "UTF-8"); $s = htmlentities($s, ENT_QUOTES, "UTF-8"); // How would you compare this to using using mysql_real_escape_string($s)? // (Yes, I know this is a DB function) // Some other people also recommend calling json_encode() before passing to htmlentities // What's the best solution? </code></pre> <p>.</p> <p>There are a hell of a lot of posts about PHP and XSS. Most just say "use HTMLPurifier" or "use htmlspecialchars", or are wrong. Others say use OWASP -- but it is EXTREMELY slow. Some of the good posts I came across are listed below:</p> <p><a href="https://stackoverflow.com/questions/110575/do-htmlspecialchars-and-mysql-real-escape-string-keep-my-php-code-safe-from-injec">Do htmlspecialchars and mysql_real_escape_string keep my PHP code safe from injection?</a></p> <p><a href="https://stackoverflow.com/questions/2102836/xss-me-warnings-real-xss-issues">XSS Me Warnings - real XSS issues?</a></p> <p><a href="https://stackoverflow.com/questions/5337143/codeigniter-why-use-xss-clean">CodeIgniter - why use xss_clean</a></p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload