XSS is like, rampant dude

Question

XSS is like, rampant dude

Closed this issue 7 years ago · 4 comments

jamjar919 commented 7 years ago

All database inputs should be ran through at least striptags(), currently they are not.

Answer 1 · 2017-04-18T22:00:09.000Z

http://htmlpurifier.org/

Answer 2 · 2017-04-18T22:02:33.000Z

Looking at that it seems to implement far more functionality than we need. Will roll own

Answer 3 · 2017-04-18T22:04:38.000Z

Even better htmlspecialchars($var, ENT_QUOTES) does what we need

Answer 4 · 2017-04-18T22:18:08.000Z

commit fixes issues in Food.class.php, User.class.php, UserTools.class.php. If you are doing database inserts or updates somewhere else please wrap them with htmlspecialchars($var, ENT_QUOTES) before inserting. ( @Zigorski @James271 )