Welcome to the Treehouse Community
Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.
Looking to learn something new?
Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.
Start your free trial
Jackie Jen
2,723 PointsCross Site Scripting (XSS) Attacks
I have search about what is Cross Site Scripting (XSS) Attacks. But mostly is talking how they steal the session or cookies of user. It did not show an example on how to prevent it.
Is there any example show that how to prevent Cross Site Scripting (XSS) Attacks ?
2 Answers
Chris Shaw
26,676 PointsHi Jackie,
There are tons of resources about this topic, here are just a few that appeared first in Google.
- http://stackoverflow.com/questions/1996122/how-to-prevent-xss-with-html-php
- https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
- http://phpsecurity.readthedocs.org/en/latest/Cross-Site-Scripting-(XSS).html
- http://www.sitepoint.com/php-security-cross-site-scripting-attacks-xss/
- https://www.virtuesecurity.com/blog/preventing-cross-site-scripting-php/
Hope that helps.
Michael Bianchi
2,488 PointsMost of your hacking attacks rely on lay users not knowing what to do (social engineering). Get into the practice of form validation and force the user to enter critical items (like passwords) in a certain context (example: don't allow special characters in your forms). PHP and MySQL are especially vulnerable to Injection attacks - keep in mind that 50% of websites are attacked with SQL injection. It can even be used to take over a server and yet it's totally preventable with form validation. PHP 5+ (maybe an earlier version, too, not sure) offers escape characters that treat the backslash, comment characters and quotes in a text field as text and NOT PHP commands - this is useful.