Cross-Site Scripting Vulnerability Testing
This article was published in the print magazine Drupal Watchdog, Volume 6 Issue 3, , on page 8, by Linux New Media.
You should verify that any user-contributed textual content on your website cannot contain potentially nefarious HTML tags (such as
<script>), because those could be used by attackers to carry out damaging actions from the web browsers of other site visitors. To see if your site is blocking the most egregious scripts, create a web page containing
<script>alert( "Gotcha!" )</script> and view the page. To verify that tag filtering is being performed, try
<strong>Gotcha!</strong>. If the text alone appears in a strong font, then not all HTML tags are being stripped out. If you see the text and the tags literally on the page, then your site is not interpreting tags as markup commands, including dangerous ones.