Preventing XSS (cross-site scripting)
Cross site scripting (XSS) happens when an attacker inserts a malicious Javascript code into a form field. Two types of XSS:
Type | Explanation |
---|---|
Persistent | a vulnerable input is stored in the database. When the input is rendered in the web browser, it is displayed as a part of the page and executes the malicious code. |
Non-persistent | a vulnerable input is injected through an unfiltered input (e.g. query string) and rendered back to the client. When the input is rendered in the web browser, it executes the malicious code. |
By default, SCHLIX CMS offers a basic XSS protection that will display 403 Forbidden error if an input matches a specific criteria (usually embedded in the query string). However, this may not always solve all problems. To ensure that inputs are displayed correctly, always use the SAFE_HTML($string_to_output) method.