I want to know if entiting the two marks < and > is enough to prevent XSS injections?
And if not, why? And what’s the best solution?
I want to know if entiting the two marks < and > is enough
Share
Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I want to know if entiting the two marks < and > is enough to prevent XSS injections?
And if not, why? And what’s the best solution?
It depends very much on context.
Check out this example, from a typical forum site…
Malicious user enters in input field
There is no encoding there of less than and greater than, but still a big security hole.
With
htmlspecialchars(), I found it a good idea to make (or use) a wrapper function of it that casts to a string, provides an easier way to disable double encoding (if necessary) and to ensure it is using the correct character set of your application. Kohana has a great example.