I have this piece of code which is a simple html page.
<?php
require_once ("include/config.php");
require_once($home."include/main_pre_body.php");
require_once($home."pop-ups/email/email_form.php")
?>
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8" />
<link rel="stylesheet" type="text/css" href="css/style.css" />
<link rel="stylesheet" type="text/css" href="css/calendar.css" />
<link rel="stylesheet" type="text/css" href="css/time.css" />
</head>
<Title><?php echo $EMAIL_TITLE_TEXT?></Title>
<!-- Load Email Form Window -->
<body onload="OpenEmailWin()" style="margin:0px;">
<?php
require_once($home."include/main_post_body.php");
?>
</body>
</html>
I want to prevent all forms of possible xss attacks and i can identify a few but not all.
This is the first line <body onload="OpenEmailWin()" style="margin:0px;"> that i think shall be fixed. I have looked at xss vulnerbilities but the use of < and /> has surprised me the most. I got that from this answer https://stackoverflow.com/a/16126384/492293
Can the use of < and /> make a web page prone to xss attacks and what other parts of the simple page are vulnerable to a posile xss attack?
Thanks.
The two functions htmlspecialchars() and htmlentities() are gonna help you. Use these functions while getting data with POST or GET. like shown below:
htmlspecialchars($_POST["example"]);
htmlentities($_POST["example"]);
or
htmlspecialchars($_GET["example"]);
htmlentities($_GET["example"]);