Serjio Serjio - 6 months ago 11
SQL Question

initial security measures to be taken for XSS prevention

I have a website that serves as an advertising medium and has no login or registration or another input field, the only thing it has got is a search field, but I have taken care of sql imjection for now, I want to know where should I start for XSS prevention and what steps should I take, I have read the OWASP guidelines but they are too complicated, I need to start from simple to difficult.

Answer

You say input fields, but that's really not all that matters. You see, anything that isn't decided in PHP can be influenced by a user. With this in mind, I'm speaking of ajax calls, and routing.

For example, do you use user-friendly urls? In that case you probably route the url through your database? Then that is no different from an input. Any $_GET or $_POST is a vulnerability. You will always have to escape anything you get from these requests as users can influence it.

This means an ajax call where you send data through the $_GET or $_POST, or routing where you basically say (also $_GET) index.php?page=pagename.

This would result in $_GET['page'] and should be escaped if you're making it go through a database.

Comments