-
Website
http://buildingbrowsergames.com -
Original page
http://buildingbrowsergames.com/2008/04/28/cross-site-scripting-what-it-is-and-how-to-prevent-it/ -
Subscribe
All Comments -
Community
-
Top Commenters
-
gabrielbianconi
1 comment · 1 points
-
Luke
82 comments · 1 points
-
spatlabor
1 comment · 1 points
-
HughCompton
2 comments · 1 points
-
obat jerawat
1 comment · 1 points
-
-
Popular Threads
if ($username != htmlspecialchars($username)) {
$err = "name contains invalid characters";
}
database, escaping it afterwards helps protect you against XSS attacks that
originate *from* your database - for example, if an attacker gained access
to your database and hand-entered the data.
Rejecting usernames that have special characters in them isn't a bad idea,
but it tends to confuse the user - which characters are invalid? Which
aren't? It would be more useful if you could tell them which characters were
not allowed.
You could definitely do both - how much you allow or disallow is entirely up
to you.