How to reduce risk of XSS while allowing html tags

1. Allow a limited set of HTML tags:

  'a'
  'em'
  'strong'
  'cite'
  'code'
  'ul'
  'ol'
  'li'
  'dl'
  'dt'
  'dd'

Refer to the way that Drupal does -  https://api.drupal.org/api/drupal/modules%21filter%21filter.module/function/filter_xss/6.x



2. Remove all script event handlers (onload/onerror/on[a-z]{1,10}=) and src based payload (src=javascript:alert()when storing product information.


on[a-z]{1,10}=

javascript:

data:

Comments

Popular posts from this blog

XSS: Gaining access to HttpOnly Cookie in 2012

HttpOnly Session ID in URL and Page Body | Cross Site Scripting

From Vulnerability to Exploit (Joomla! SQL Injection)