ASP.NET has a cross site scripting API by default, however does PHP have a cross site scripting prevention API?
Asked
Active
Viewed 283 times
3 Answers
10
ASP.NET does not provide a XSS API. I suspect you are talking about Request Validation which is a feature in ASP.NET that inspects HTTP requests and looks for potentially dangerous input. To my knowledge PHP does not offer anything like this.
While request validation can be a benefit by preventing certain types of XSS attacks, it is not a replacement for properly securing an application from XSS vulnerabilities. This can be dangerous because it lulls developers into a false sense of security. In addition to this, request validation can be disabled, so if you are relying on it for XSS protection and then someone else disables it, you are in big trouble.
There is a good post here that talks about some of the shortcomings of request validation in ASP.NET.
So in summary: there is no PHP equivalent of ASP.NET's request validation and you shouldn't rely on request validation to protect you from XSS anyways.
Abe Miessler
- 8,155
- 10
- 44
- 72
1
I have used HTML Purifier before and have been pretty satisfied.
However, I have not performend extensive/advanced testing on it. The basic XSS attempts get caught, the website seems to show the maintainter has a knack for this thing so I assume it is not a bogus project. If anyone on here believes otherwise, please let me know.
Radmilla Mustafa
- 1,018
- 3
- 10
- 12
0
There is the OWASP Enterprise Security API which has a php version.
Otherwise, there is the web application firewall approach where using something like PHPIDS or mod_security can stop some of the attacks.
wireghoul
- 5,745
- 2
- 17
- 26
-
The PHP port of the ESAPI has been dead for quite awhile now. I wouldn't trust it to protect me against much, and certainly not against XSS which evolves. – Xander Nov 19 '14 at 23:02
-
1I wouldn't trust PHP full stop – wireghoul Nov 19 '14 at 23:09
-
Well, yes, but I thought that was a given. :-) – Xander Nov 19 '14 at 23:09