tal Posted February 15, 2010 Share Posted February 15, 2010 hello alli have read a bit about cross site scriptingbut i am still not sure about xss and html form datain my site i use html forms for example,i ask for credit card numberand i am not using java script in these formsonly html and php (and cookies)is it possible to cross site script the data in the form ?(that is also placed in a cookie if needed)thank you for your timeand good answers Tal Link to comment Share on other sites More sharing options...
boen_robot Posted February 16, 2010 Share Posted February 16, 2010 Do you output any data the user enters, or just accept it and not show it? If you do show it, you need to make sure that when you output it, it doesn't contain any HTML data. In the case of a credit card number, after making sure the credit card is valid, show it. If you accept credit card numbers in any format*, make sure to output only the numbers, without any additional formatting the user might have inputted.*This will be really beneficial for your users. Many people find it more readable to enter spaces between every 4 numbers or dashes. Instead of requiring them to enter the numbers without such spaces, you can strip out any non-numeric data, and only validate the resulting number. Link to comment Share on other sites More sharing options...
tal Posted February 18, 2010 Author Share Posted February 18, 2010 i use php functions - strip_tags and a custom preg_match_all in order to sanitize the user inputwhen a form is not filled correctly i send it back with the data filled by the user and sanitized by me so no html tags will go throware "html data" and "html tags" the same thing ?what i am asking is, is it possible to do a cross site scripting so to grab that data i sanitized and sent back to the user, to continue the form fillingi put the data in a cookie on the users computer, but i don't use java script to handle that dataso is it possible xss the form data ?and thanks for the advise about space between the numbers, it sounds goodthank youTal Link to comment Share on other sites More sharing options...
justsomeguy Posted February 18, 2010 Share Posted February 18, 2010 What are you trying to accomplish? I'm not sure cross-site scripting is even an option, start with what you're trying to accomplish and we'll help with ideas about how to do it. Link to comment Share on other sites More sharing options...
tal Posted February 19, 2010 Author Share Posted February 19, 2010 thanks but it is the other way aroundi am trying to avoid xss not accomplish itcan xss take the data from a form filled by my user if it is in cookies or if it is filled in real time by the userthank youTal Link to comment Share on other sites More sharing options...
justsomeguy Posted February 19, 2010 Share Posted February 19, 2010 You're asking if your form is vulnerable to XSS attacks?Virtually anything on your page, including cookies, is vulnerable to XSS. The trick in preventing XSS is to make it so that people can't inject code on your site in the first place, instead of trying to protect data after they've already injected code. Don't worry about what they may be able to do once they compromise your site, worry about how to stop them compromising the site in the first place. Link to comment Share on other sites More sharing options...
tal Posted February 20, 2010 Author Share Posted February 20, 2010 ok now i see it better so in order for an xss to work my site needs to be compromisedand only then it can talk to other sitesso proper sanitizing should do it, right i am sorry if my question wasn't clear from the start thank youTal Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.