Check out Scrivo

Do you want to try out Scrivo? Then here's a demo for you that does not just get your feet wet but lets you plunge right in.

Contact us

For more information, please contact us. We're happy to help you out!

Next Sep 12 Previous

Item 547201

What combination of measures should be used to prevent XSS attacks, choose two:

A: Use mb_detect_encoding() to detect illegal encodings used in user input.
B: Filter tags and scripts from user input.
C: Enable magic_quotes_gpc to automatically escape input.
D: Escape user input when it is used in the output.

Answer

The answer is the combination of B and D: filter user input and escape it when used for output.

The first line of defense is as always: validate user input. It doesn't make sense to accept HTML or whatever other kind of scripting language in a user code, name or address, so that shouldn't be allowed.

The second line of defense against XSS attacks will be to escape all user input when it's used for output. Preferably by using htmentities() with the ENT_QUOTES flag set. Some suggest that htmlspecialchars() also does the trick and it definitely does most of what it needs to do but it doesn't escape all sorts of fancy quotes.

And besides that, you don't know what it needs to do. In XSS attacks all sorts of script content (HTML, javascript, CSS, vbScript, and more) can be expected to be used in very creative ways. Just spend some time investigating XSS exploits and you too will rather escape a litte bit too much.

The magic_quotes_gpc setting has something to do with automatic (My)SQL escaping of user input, not with front-end related scripts. It was a PHP design mistake and should be avoided like the plaque.

Character encodings do play an important role in XSS attacks but it's not the context in which you want to use mb_detect_encoding(). If you want to take my advice: use UTF-8 for everything and discard all input that is not considered valid UTF-8. It will make life a lot easier in many ways, and not with regard to XSS only.