Home > Developer > Web Develop

XSS prevents attacks where a malicious user executes the input information as HTML or JS code by changing the information entered by the user into text format, or special symbol escaping

Source: Internet
Author: User
Tags html encode
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

XSS prevents attacks where a malicious user executes the input information as HTML or JS code by changing the information entered by the user into text format, or special symbol escaping

Prevention of XSS attack

The harm caused by XSS attacks occurs because the user's input becomes executable code, so we are going to HTML-escape the user's input by escaping the special characters, such as angle brackets, quotation marks, single quotation marks, and so on, for example, "" After escaping "<", ">" After escape is ">", "'" is escaped after "&", "" "is escaped after" " "

1, will be able to be converted into HTML input content, when writing code instead of innertext instead of innerHTML

2, there is no way to use the following methods of the case (JS code)

function Safestr (str) {
Return str.replace (/</g, ' &lt; '). Replace (/>/g, ' &gt; '). Replace (/"/g," &quot; "). Replace (/'/g, ' & #039; ');
}

Third, XSS defense

We are in a contradictory world, with spears there are shields. As long as there is no vulnerability in our code, the attacker will not be possible, we will make an egg that is not sewn. XSS bug Fix principle: Do not trust the data entered by the customer Note: The attack code does not necessarily mark important cookies as HTTP only in <script></script>, so that the document in JavaScript     A cookie cannot be obtained by a cookie statement. The user's input needs to be processed, allowing the user to enter only the data we expect, and the other values are filtered out. For example: In a TextBox of age, only users are allowed to enter numbers.  and the characters outside the numbers are filtered out. HTML Encode processing of data filters or removes special HTML tags, such as: <script>, <iframe>, &lt; for <, &gt; For &quot, the label for the filter JavaScript event. such as "onclick=", "onfocus" and so on. The specific defenses for XSS are as follows:

XSS prevents attacks where a malicious user executes the input information as HTML or JS code by changing the information entered by the user into text format, or special symbol escaping

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
get the permalink wordpress user information plugin supported by or with how to input array in java by user uploaded by user create user identified by html user input

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More