Answer the question
In order to leave comments, you need to log in
Why do dangerous characters need to be escaped instead of stripped to protect against XSS?
Why, to protect against XSS, dangerous characters need to be escaped, and not removed, for example, by the str_replace () function, because if you exclude the possibility of using these characters, then XSS should not occur.
Answer the question
In order to leave comments, you need to log in
You can disable special characters, for example in username, email. But it's stupid to do this in a password or in the page content, I think few people want to read an article without punctuation marks.
Because there are no "dangerous symbols".
A character that is "dangerous" in one context will be useful in another.
If you start removing potentially dangerous characters like this, then nothing will remain of the content.
The funniest thing is to see such questions on sites like toaster. Here the client himself dashed off the answer in which there are a lot of "dangerous" characters. What will this beautiful answer turn into if all the terribly dangerous characters are cut out of it?
Because someone came up with this nonsense, and everyone agrees.
It is impossible to do NEITHER DELETE NOR SCREENING! And here's why:
1. We delete - "spoil" the view and distort the understanding of the real information stored in the database: the data on the page will differ from the data in the database. And not the fact that it will prevent XSS.
2. We screen - we display everything in the database and allow us to search for "holes" in order to "break the site completely."
And, SUDDENLY! we have the 3rd option!
Correctly:validate the integrity of the XML structure and the "white" list of tags in it, if the text contains tag opening/closing characters or any of the string data delimiters in the xml markup. Doesn't validate - just ignore (assign null, return false, etc.).
Let me explain using the example of a shell - it seems to me that this is the easiest.
Let's say there is a certain program that runs from the command line. And this program interprets its arguments so that the asterisk has some special meaning. For example, find откуда_искать -name маска_для_поиска
- and search_mask may well contain an asterisk.
However, if I write mask_for_search just like that, then the shell will see an asterisk there and will interpret it in its own way, as a result of which find will receive not what I wanted to pass to it, but something else. And in order for the shell not to be self-willed, I must escape the asterisk and other special characters.
Another example is a forum with content stored in SQL-DB:
It is clear that users have the legal right to use any printed characters in the text; including and those that are special characters in SQL. Accordingly, when forming an SQL query, special characters must be escaped, otherwise SQL injection is possible.
Ideally, you should use a library like html-sanitizer .
For example, we want to post code. Accordingly, you must either skip all the tags as they are or use the htmlspecialchars function.
And the most important thing is that this should be done only inside the pre>code
tags. For the rest, the white list of tags.
Standard functions will not allow you to do this.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question