They have added this (followed the domain url) and it becomes a link to a youtube video. How to avoid it?
www.example.com/registrarForm.php?msg=%3Csvg%2Fonload%3Deval(atob(%27d2luZG93LmxvY2F0aW9uPSdodHRwczovL3d3dy55b3V0dWJlLmNvbS93YXRjaD92PWRRdzR3OVdnWGNRJwo%3D%27))%3E
The original web is not really modified, but it becomes a link that could be executed by anything, even a javascript script. How to avoid it?
The form is the following:
<form class="form-signin" action="insertarRegistroUsuario.php" method="post" enctype="multipart/form-data">
<?php if (isset($_GET['msg'])) { echo $_GET['msg']; } ?>
<input type="text" id="nombreusuarioUsuario" name="nombreusuarioUsuario" class="form-control" placeholder="Nombre de usuario" required autofocus>
<input type="email" id="inputEmail" class="form-control" id="emailusuario" name="emailUsuario" placeholder="Email" required autofocus>
<input type="password" id="passwordUsuario" name="passwordUsuario" class="form-control" placeholder="Password" required>
<input type="password" id="passwordUsuario2" name="passwordUsuario2" class="form-control" placeholder="Repetir Password" required>
<input type="text" id="localidadUsuario" name="localidadUsuario" class="form-control" placeholder="Localidad" required autofocus>
<input type="text" id="codigoPostalUsuario" name="codigoPostalUsuario" class="form-control" placeholder="Codigo Potal" required autofocus>
<button class="btn btn-lg btn-primary btn-block" type="submit">Confirmar</button>
</form>
I have also been "attacked" in this way (without modifying the original website):
www.ejemplo.com/registrarseForm.php?msg=<img src="https://s3.amazonaws.com/ceblog/wp-content/uploads/2016/04/22110359/youve-been-hacked.png" />
What you can do is control exactly what is going to be displayed on the screen, for example:
As you make the programming more complex, you will delegate the printing of errors to a specific routine, which will do more than output the message to the screen (write the error to the log, for example) but in the meantime, with not outputting the text as it is It is more than enough.
This little example uses a couple of parameters to tell the script what to output on error, but it could be anything you need.
Keep in mind that the user doesn't need too much technical information either, for example, don't ask questions
sql
on the screen, the only thing that makes it easier is to give clues to a possible deliberate attack.Take the technical data to a log and on the screen it indicates only something that the user can use (and that he understands): 'Try again later', 'Get in touch', 'Do not use special characters'....
NOTE
TRICK
You can make use of a function in
PHP
callhtmlspecialchars
. You can find more references at this link .What this function does is escape the
HTML
entities, this way any type of code, be it Javascript or HTML, will not be executed.You can use it in your code like:
Some time ago I developed a function in php what it does is sanitize a php string by removing html tags mysql iframes attacks and many others.
there is strip_tag in php but it is not very secure as there are thousands of ways to encapsulate a piece of malicious code and insert it.
eg use
$msj = ' "
bold alert("hacked"); '; echo clear_data($msj);
result: bold-hacked only returns text if it is a script form strong will remove it
function