ONJava.com -- The Independent Source for Enterprise Java
oreilly.comSafari Books Online.Conferences.

advertisement

AddThis Social Bookmark Button
Article:
  User-Friendly Form Validation with PHP and CSS
Subject:   Prevent cross site scripting vulnerability
Date:   2004-04-26 18:28:51
From:   JHolmes763
Where you stick $username back into the text box, be sure to run it through htmlentities() first to prevent cross site scripting vulnerabilities.


<input type="text" name="username" value="<?php echo htmlentities($username); ?>">


Otherwise, someone can send a value starting with "> that'll end your input text box and they can inject HTML/JavaScript/whatever into the rest of the page.


---John Holmes...