Forums

The forums ran from 2008-2020 and are now closed and viewable here as an archive.

Home Forums Back End Should I Worry About XSS attacks? Reply To: Should I Worry About XSS attacks?

#156932
__
Participant

A few typos (too late to edit):

The xssToken function is missing its return statement:

function xssToken(){
    $expiry = time() + 300;
    $token = md5( 
        openssl_random_pseudo_bytes( 16 )
    );
    $_SESSION['xssToken'] = array( $token,$expiry );
    return $token;
}

It [almost] doesn’t matter if you check credentials when you the form.

Should read:

It [almost] doesn’t matter if you check credentials when you serve the form.

As in my post in your other thread, I also meant to point out that using a tool like htmlpurifier is a good idea anyway, since it can do other useful things like catching mistakes in your markup (e.g., unknown attributes, mismatched tags, and so forth).