Women in Technology

Hear us Roar



Article:
  User-Friendly Form Validation with PHP and CSS
Subject:   Prevent cross site scripting vulnerability
Date:   2004-04-26 18:28:51
From:   JHolmes763
Where you stick $username back into the text box, be sure to run it through htmlentities() first to prevent cross site scripting vulnerabilities.


<input type="text" name="username" value="<?php echo htmlentities($username); ?>">


Otherwise, someone can send a value starting with "> that'll end your input text box and they can inject HTML/JavaScript/whatever into the rest of the page.


---John Holmes...