Cross-Site Scripting Vulnerability Testing

By

This article was published in the print magazine Drupal Watchdog, Volume 6 Issue 3, Winter 2016, on page 8, by Linux New Media.

You should verify that any user-contributed textual content on your website cannot contain potentially nefarious HTML tags (such as <script>), because those could be used by attackers to carry out damaging actions from the web browsers of other site visitors. To see if your site is blocking the most egregious scripts, create a web page containing <script>alert( "Gotcha!" )</script> and view the page. To verify that tag filtering is being performed, try <strong>Gotcha!</strong>. If the text alone appears in a strong font, then not all HTML tags are being stripped out. If you see the text and the tags literally on the page, then your site is not interpreting tags as markup commands, including dangerous ones.

Copyright © 2016 Michael J. Ross. All rights reserved.

Add new comment

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <address> <area> <blockquote> <br> <cite> <code> <dd> <div> <dl> <dt> <em> <fieldset> <h1> <h2> <h3> <h4> <h5> <h6> <hr> <img> <input> <li> <map> <ol> <p> <pre> <span> <strong> <sup> <u> <ul>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
3 + 0 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.