http://bbgames.disqus.com/enMon, 29 Dec 2008 13:56:31 -0000http://buildingbrowsergames.com/2008/04/28/cross-site-scripting-what-it-is-and-how-to-prevent-it/#comment-4729970Roy,<br>You could definitely do both - how much you allow or disallow is entirely up<br>to you.bbgamesMon, 29 Dec 2008 13:56:31 -0000http://buildingbrowsergames.com/2008/04/28/cross-site-scripting-what-it-is-and-how-to-prevent-it/#comment-4676469So why not simply do both? Make Account names viable if they are only Numbers and letters( ex A-Z, a-z, 0-9), no other char allowed, as well as escaping the repeating information?RoySun, 28 Dec 2008 10:46:45 -0000http://buildingbrowsergames.com/2008/04/28/cross-site-scripting-what-it-is-and-how-to-prevent-it/#comment-3579877While it would make sense to escape the username before it enters the<br>database, escaping it afterwards helps protect you against XSS attacks that<br>originate *from* your database - for example, if an attacker gained access<br>to your database and hand-entered the data.<br>Rejecting usernames that have special characters in them isn't a bad idea,<br>but it tends to confuse the user - which characters are invalid? Which<br>aren't? It would be more useful if you could tell them which characters were<br>not allowed.bbgamesThu, 06 Nov 2008 20:36:43 -0000http://buildingbrowsergames.com/2008/04/28/cross-site-scripting-what-it-is-and-how-to-prevent-it/#comment-3565032I agree that as a general rule this is excellent practice but for something like the user name wouldn't it make for sense to escape it before adding it to the database instead of every time it is displayed? In fact as part of my registration validation I compare the user name with the return from the escape function and if they're not equal I reject the name:<br><br>if ($username != htmlspecialchars($username)) {<br> $err = "name contains invalid characters";<br>}AbraxasThu, 06 Nov 2008 00:39:04 -0000