Jump to content

Xss And Html Form


tal
 Share

Recommended Posts

hello alli have read a bit about cross site scriptingbut i am still not sure about xss and html form datain my site i use html forms for example,i ask for credit card numberand i am not using java script in these formsonly html and php (and cookies)is it possible to cross site script the data in the form ?(that is also placed in a cookie if needed)thank you for your timeand good answers Tal

Link to comment
Share on other sites

Do you output any data the user enters, or just accept it and not show it? If you do show it, you need to make sure that when you output it, it doesn't contain any HTML data. In the case of a credit card number, after making sure the credit card is valid, show it. If you accept credit card numbers in any format*, make sure to output only the numbers, without any additional formatting the user might have inputted.*This will be really beneficial for your users. Many people find it more readable to enter spaces between every 4 numbers or dashes. Instead of requiring them to enter the numbers without such spaces, you can strip out any non-numeric data, and only validate the resulting number.

Link to comment
Share on other sites

i use php functions - strip_tags and a custom preg_match_all in order to sanitize the user inputwhen a form is not filled correctly i send it back with the data filled by the user and sanitized by me so no html tags will go throware "html data" and "html tags" the same thing ?what i am asking is, is it possible to do a cross site scripting so to grab that data i sanitized and sent back to the user, to continue the form fillingi put the data in a cookie on the users computer, but i don't use java script to handle that dataso is it possible xss the form data ?and thanks for the advise about space between the numbers, it sounds goodthank youTal

Link to comment
Share on other sites

You're asking if your form is vulnerable to XSS attacks?Virtually anything on your page, including cookies, is vulnerable to XSS. The trick in preventing XSS is to make it so that people can't inject code on your site in the first place, instead of trying to protect data after they've already injected code. Don't worry about what they may be able to do once they compromise your site, worry about how to stop them compromising the site in the first place.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...