About the Author

Chris Shiflett

Chris Shiflett is an author and speaker who leads the web application security practice at OmniTI.

XSS Cheatsheet

I stumbled upon an interesting resource today - the XSS Cheatsheet. This is a really wonderful collection of XSS (cross-site scripting) test cases. If you don't know what XSS is, you might find the following resources helpful:

Christian has developed a script for filtering data specifically for XSS. He also has an example implementation where you can try it out for yourself - maybe someone with some free time can try entering all of the test cases to see if any of them expose a weakness.

About This Post

XSS Cheatsheet was posted on Thu, 27 Jan 2005 at 01:32:31 GMT.

4 Comments

1. Diane's GravatarDiane said:

Was trying the test cases at ha.ckers.org/xss.html and found one that worked. Thought you might be interested:

<IMG STYLE='no\xss:noxss("/*");

xss:ex/*XSS*/pression(alert("XSS"))'>

Fri, 16 Sep 2005 at 20:27:56 GMT Link

2. Chris Shiflett's GravatarChris Shiflett said:

I'll let Christian know. Thanks.

Mon, 19 Sep 2005 at 06:23:00 GMT Link

3. <IMG STYLE='no\xss:noxss("/*");'s Gravatar<IMG STYLE='no\xss:noxss("/*"); said:

jj

Mon, 29 May 2006 at 09:47:47 GMT Link

4. Chris Shiflett's GravatarChris Shiflett said:

He means one that worked on Christian's filter. :-)

Mon, 29 May 2006 at 13:39:11 GMT Link

Post A Comment

Personal Details and Comment

Style Guide

Line breaks are converted to paragraphs. Also use:

  • <a href="" title="">text</a>1
  • <em>text</em>
  • <blockquote><p>text</p></blockquote>
  • <code>2  <?php  if ($foo) {      $foo = TRUE;  }  ?></code>
  1. Note: <code> can be used inline (e.g. in paragraphs) or in a block as shown. Include whitespace and newlines in blocks.

Please enter Chris (my first name) below. This is a primitive spam prevention technique, and I apologize for the inconvenience.

Preview and Submit

Upcoming Talks

O'Reilly Open Source Convention

21 - 25 Jul 2008

At Oregon Convention Center, Portland, Oregon.

ZendCon

15 - 18 Sep 2008

In Santa Clara, California.

PHP Appalachia

11 - 14 Oct 2008

At Big Bear Lodge, Gatlinburg, Tennessee.

New Comments

Ash Searle wrote:

It might be worth changing your example code from using htmlentities to htmlspecialchars. Runn...

Posted in Allowing HTML and Preventing XSS
Chris Shiflett wrote:

Hi Steve, According to the NYT Manual of Style and Usage, it's push-up: Most but not all co...

Posted in Miscellaneous
steve wrote:

so, is it push up, pushup or push-up? just curious... --steve --www.hundredpushups.com

Posted in Miscellaneous
Walter Lawless wrote:

It's sad to think that even now, nearly 4 years after this was originally written, that there are...

Posted in
Asanka Dewage wrote:

I've been a Mac user for over a year now and I didn't know about the [say] command! What a nifty ...

Posted in Miscellaneous

Browse Comments