Home › Forums › Back End › Should I Worry About XSS attacks? › Reply To: Should I Worry About XSS attacks?
November 22, 2013 at 10:46 am
#156932
__
Participant
A few typos (too late to edit):
The xssToken
function is missing its return
statement:
function xssToken(){
$expiry = time() + 300;
$token = md5(
openssl_random_pseudo_bytes( 16 )
);
$_SESSION['xssToken'] = array( $token,$expiry );
return $token;
}
It [almost] doesn’t matter if you check credentials when you the form.
Should read:
It [almost] doesn’t matter if you check credentials when you serve the form.
As in my post in your other thread, I also meant to point out that using a tool like htmlpurifier is a good idea anyway, since it can do other useful things like catching mistakes in your markup (e.g., unknown attributes, mismatched tags, and so forth).