DEV Community

Cover image for Securing Your Comment Form From XSS Attack.
manushifva
manushifva

Posted on

Securing Your Comment Form From XSS Attack.

XSS, a simple attack, but can ruin your web easily. To perform this attack, simply just type <script>alert('XSS')</script> at your fictim's comment form. If you find this notification:

Alt Text

Congrats, you found a vulnerable site, and you officially become a bug hunter. XD.

Back to securing the form. There are 3 methods that i know to securing your input form form XSS:

Check the input before add it to the database

Simple one. Check the input if the input not contain something suspicious. If you find it, you can reject the input.

Remove all HTML tags from input

For do this in PHP, you can use strip_tags. Here is the example:

<?php
$input = '<script src = "http://evil.com/some/evil/source"></script> Some comments';

echo strip_tags($input);
?>
Enter fullscreen mode Exit fullscreen mode

And, here is the result:

Some comments
Enter fullscreen mode Exit fullscreen mode

Sanitaze your input

You can sanitaze the input using a simple replace function. Simply, just replace < with &#60; (unicode symbol for <). If you display < as the unicode, the XSS syntax will'nt run, and printed as normal string.

Yeah, that's my tips, Do you have any tips that i don't write here, you can add it down in the comment πŸ‘‡.

Thanks for read, and bye! πŸ‘‹.

Top comments (0)