Click here to Skip to main content
14,976,321 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
Hi All,

My application is in php code. There is a search page which is vulnerable to cross-site scripting. I have used Php sanitizing filters to resolve this.
I have two versions of application. In one version its working fine.
In another version of application after using filters also application is allowing dynamic execution of scripts.

Please help me how to prevent from XSS attack/ dynamic script execution.

Thanks

What I have tried:

$keyword = filter_var($_POST["tbSearch"], FILTER_SANITIZE_STRING);

$recordsperpage = 15;
$page = (is_numeric($_POST['pagination_page']) ? $_POST['pagination_page'] : 0);
$startindex = $page * $recordsperpage;

$querystring = "";
$querystring .= "search=".urlencode($keyword);
$querystring .= "&recordcount=".$recordsperpage;
$querystring .= "&startindex=".$startindex;

$keyword = preg_replace('/\s+/',' ',$keyword);




" />
Posted
Updated 13-Apr-21 4:08am
Comments
Richard Deeming 27-Mar-18 14:59pm
   
Preventing XSS is not about filtering the input; it's about properly encoding the output.

Cross-Site Scripting (XSS) — Survive The Deep End: PHP Security :: v1.0a1[^]

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)




CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900