nassau
2006-09-25, 11:45
I read this article http://www.cgisecurity.com/articles/xss-faq.shtml about Cross Site Scripting/XSS.
Quote from article:
"What is Cross Site Scripting?"
Cross site scripting (also known as XSS) occurs when a web application gathers malicious data from a user. The data is usually gathered in the form of a hyperlink which contains malicious content within it. The user will most likely click on this link from another website, instant message, or simply just reading a web board or email message.
...
Basically it says in the article that to protect oneself, you need to encode < and > characters, also %, # and ( ). Would all you experts here agree that that's enough, or "good enough"? What other ways are there to protect your site?
Quote from article:
"What is Cross Site Scripting?"
Cross site scripting (also known as XSS) occurs when a web application gathers malicious data from a user. The data is usually gathered in the form of a hyperlink which contains malicious content within it. The user will most likely click on this link from another website, instant message, or simply just reading a web board or email message.
...
Basically it says in the article that to protect oneself, you need to encode < and > characters, also %, # and ( ). Would all you experts here agree that that's enough, or "good enough"? What other ways are there to protect your site?