December 2010
Intermediate to advanced
363 pages
12h 21m
English
book
Pro PHP Security: From Application Security Principles to the Implementation of XSS Defenses, Second Edition
by Chris Snyder, Michael Southwell, Thomas Myer
Content preview from Pro PHP Security: From Application Security Principles to the Implementation of XSS Defenses, Second EditionBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
Summary
We began this chapter on how to keep your users' data safe from cross-site scripting exploits by describing exactly what XSS is and how it works. We listed the various kinds of scripting that might be involved, categorized the two varieties of such scripting, and discussed each of a long list of possible XSS techniques.
We then turned to techniques for preventing XSS. After a discussion of why SSL connections do nothing to help this effort, we described various strategies for handling user input:
- Encoding HTML entities (in input not expected to have HTML content)
- Sanitizing URIs
- Filtering for known XSS exploit attempts
- Isolating sensitive activity in private APIs
- Predicting users' next actions
We then provided a suggestion for testing ...