Im curious, the pages in question are password protected but it got me thinking. Im experitmenting with the Wymeditor J-Query plugin, it works rather well and deals with XSS scripting attempts by automatically converting angle brackets into html characters etc.
Obviously with direct access a user could disable javascript and then insert any manner of malicious tags into the DB. However i am wondering would it be possible for an automated script to disable javascript if it managed to get buy the password protection, and thus insert malicious scripts to the DB which would then be run when DB information is displayed on another page??
* UPDATE *
I should probably have expanded a bit. I would usually strip_tags() and use prepared statements however for Wymeditor to be of any use to the client then I can’t use strip_tags(). I know I could write some code to remove any malicious looking content but im not sure just how much malicious content i would be looking for, im assuming XSS attacks are alot more varied than just < script >do bad stuff< script > type of thing.
Rule #1: never trust user data.
Corollary: anything that comes from the client side is user data, no matter what in-browser measures your page takes (An automated script might not be running JS at all to begin with, or may inject form fields not present on your page).
So, while the JS editor doesn’t make the site any less safe, it doesn’t provide any additional security either: client-side measures (such as JS input filtering) are for user convenience only and provide exactly zero protection; you need to sanitize user input server-side, regardless of client-side.