How can I protect my site from XSS attacks?


I would like to protect my site against XSS attacks of any kind, as I can do with htaccess or php.

asked by Eddy Otsutsuki 07.03.2017 в 08:16

2 answers


Everything will depend on what kind of XSS you intend to solve. There are two types:

  • XSSPresistente (StoredXSS): occurs in those parts where a user enters data that can be cistos by other users. That is, when using a database or text file, when information is stored. Examples of this are messages in forums, comments on wikis, blogs, etc. Here what you must do is to check that insertion of data in search of words and characters not allowed in order to avoid the XSS attack.

  • XSSReflected (ReflectedXSS): occurs when the scripts are included in the parameters of a web request. For example, when a user passes a line to your web to another, but that link contains a script, or a user enters a script in one of them is oparameter. In this case you have to check the addresses and parameters you receive in order to avoid the attack. This is not the same as phising, do not confuse it.

The way to protect the site against XSS is by filtering the input data that the user enters, verifying that they do not carry unwanted labels. for this, it is best to make a white list (a list of allowed things that the user can enter) instead of a blacklist (things not allowed). In this case, if you use whitelists, if you forget something, the user simply can not enter it, otherwise, you may forget a label and the page is vulnerable.

Another way to protect yourself would be to use mod_security from Apache, you would have to install it and configure it to filter all those requests, but it is recommended to do it in the first way to be able to control your entire flow in a better way by code. This would work for any programming language.

For PHP you should use the filters of PHP validation . You also have this library of Google .

Here is more information on data validation , the project AntiSamy and in JSP .

answered by 07.03.2017 / 08:40

what you must do is control what users enter in the inputs of your website. to clean all possible XSS attacks in php there is a very good library, I leave your link so you can take a look:


answered by 07.03.2017 в 11:23