XSS protection

Hi,

my test website maryjane was blocked on a server cause of XSS.
Now I red some articles about XSS.

Is it possible that it belongs to the FRAMEWORK includes?

How can I test if my page is XSS safe?

Any help? Suggestions?

Cheers,
Denis

I would need to see the scan report to tell why that page failed.

normally it happens if you write a URL variable value to the page without scrubbing it using htmlentities. for example:

<php echo(isset($_POST['postval'])?htmlentities($_POST['postval'], ENT_QUOTES):""); ?>

Hi Jason,
now I am a bit afraid. In my backend I let the use insert their website. I check it with the server validation URL.
Will this protect my site or do I need to have more validation?
I tried to enter something like band.php?i=service and it works, I thought this is dangerous :-(
Before I have to rebuild my backend I need to know what protection is allready in the WA dataassist and databridge?
Cheers,
Denis

ps. I dont have any protocol.

in the insert record behavior that stores the website address, when you select the form element bindings, set the formating option to HTML Encode.

Hi Jason,

I think I will allways use the "htmlentities" before insert inth the datebase.
If the links dont work, the use has to change.

I check if its email or url, then I store both with "htmlentities"

Will this be the best solution?

Cheers,
Denis

yes, that would work

hmm, so if I use "htmlentities" it doesnt matter what the user puts into my form fields?
For example I want the street and city, I dont need worry when I insert with "htmlentities"?
Sorry for asking that much, cause, if so, I can use less code, cause I dont need all that validation.
Am I right, when I say, I use the WA validation to FORCE the user to insert LIKE I want.
If I dont want to foce the useer, it allright only to use "htmlentities" in the DA wizzard?

Is the WA "htmlentities" with "ENT_QUOTES"

can you also explaine the diffrence between:

<?php echo (htmlentities($_SERVER["PHP_SELF"], ENT_QUOTES)); ?>

and

<?php echo (htmlentities($_SERVER["PHP_SELF"], ENT_QUOTES)); ?>?<?php echo preg_replace("/^&/", "", preg_replace("/&?invalid=true/", "", $_SERVER["QUERY_STRING"])); ?>

Which is better to use?

Cheers,
Denis

html entities will convert tags to html entities

so if the user enters:

<bold>John Doe</bold>

and you convert that using HTML Entities,

it will insert to the database as:

<bold>John Doe</bold>

How do I use it with universal Email?

same way, when you add a binding for a from address or to address, set the formatting to use HTML Encodeing