Serjio Serjio - 1 year ago 41
SQL Question

initial security measures to be taken for XSS prevention

I have a website that serves as an advertising medium and has no login or registration or another input field, the only thing it has got is a search field, but I have taken care of sql imjection for now, I want to know where should I start for XSS prevention and what steps should I take, I have read the OWASP guidelines but they are too complicated, I need to start from simple to difficult.


You say input fields, but that's really not all that matters. You see, anything that isn't decided in PHP can be influenced by a user. With this in mind, I'm speaking of ajax calls, and routing.

For example, do you use user-friendly urls? In that case you probably route the url through your database? Then that is no different from an input. Any $_GET or $_POST is a vulnerability. You will always have to escape anything you get from these requests as users can influence it.

This means an ajax call where you send data through the $_GET or $_POST, or routing where you basically say (also $_GET) index.php?page=pagename.

This would result in $_GET['page'] and should be escaped if you're making it go through a database.