About the Author

Chris Shiflett

Hi, I'm Chris, a web developer and a founding member of Analog. I live and work in Brooklyn, NY.

XSS Cheatsheet

I stumbled upon an interesting resource today - the XSS Cheatsheet. This is a really wonderful collection of XSS (cross-site scripting) test cases. If you don't know what XSS is, you might find the following resources helpful:

Christian has developed a script for filtering data specifically for XSS. He also has an example implementation where you can try it out for yourself - maybe someone with some free time can try entering all of the test cases to see if any of them expose a weakness.

About This Post

XSS Cheatsheet was posted on Thu, 27 Jan 2005 at 01:32:31 GMT.

6 Comments

1. Diane's GravatarDiane said:

Was trying the test cases at ha.ckers.org/xss.html and found one that worked. Thought you might be interested:

<IMG STYLE='no\xss:noxss("/*");

xss:ex/*XSS*/pression(alert("XSS"))'>

Fri, 16 Sep 2005 at 20:27:56 GMT Link

2. Chris Shiflett's GravatarChris Shiflett said:

I'll let Christian know. Thanks.

Mon, 19 Sep 2005 at 06:23:00 GMT Link

3. <IMG STYLE='no\xss:noxss("/*");'s Gravatar<IMG STYLE='no\xss:noxss("/*"); said:

jj

Mon, 29 May 2006 at 09:47:47 GMT Link

4. Chris Shiflett's GravatarChris Shiflett said:

He means one that worked on Christian's filter. :-)

Mon, 29 May 2006 at 13:39:11 GMT Link

5. Jhon's GravatarJhon said:

Hi Shiflett!

What chain of filter is you using on this site?

Regards

Jhon

Sat, 09 Jan 2010 at 20:24:45 GMT Link

6. Chris Shiflett's GravatarChris Shiflett said:

Hi Jhon,

I'm using a simple technique I describe in another post:

Allowing HTML and Preventing XSS

Hope that helps!

Fri, 15 Jan 2010 at 02:38:34 GMT Link

Post A Comment

Personal Details and Comment

Style Guide

Line breaks are converted to paragraphs. Also use:

  • <a href="" title="">text</a>1
  • <em>text</em>
  • <blockquote><p>text</p></blockquote>
  • <code>2  <?php  if ($foo) {      $foo = TRUE;  }  ?></code>
  1. Note: <code> can be used inline (e.g. in paragraphs) or in a block as shown. Include whitespace and newlines in blocks.

Please enter Chris (my first name) below. This is a primitive spam prevention technique, and I apologize for the inconvenience.

Preview and Submit

Upcoming Talks

Kiwi Foo Camp

12 - 14 Feb 2010

At Mahurangi College, Warkworth, New Zealand.

Webstock

15 - 19 Feb 2010

At Wellington Town Hall, Wellington, New Zealand.

ConFoo

10 - 12 Mar 2010

At Hilton Montréal Bonaventure, Montréal, Canada.

South by Southwest

12 - 16 Mar 2010

At Austin Convention Center, Austin, Texas.

New Comments

Sujoy wrote:

Chris, this is the first time I'm visiting your blog! Your 2009 Highlights is really great! Fanta...

Posted in 2009 Highlights
Giovanni wrote:

Hi Chris! First of all, my persona thanks for all your article about PHP security! it's really u...

Posted in The Truth about Sessions
Chris Shiflett wrote:

Thanks, John. Friendly and trustworthy are high compliments. Much appreciated. :-) Sorry about...

Posted in 2009 Highlights
Eric B wrote:

Hi Chris, Thanks for this clean, concise article on this topic. You are a life saver! -E

Posted in Guru Speak: Storing Sessions in a Database
Radoslav Stankov wrote:

wow, I looks like 2009 wasn't very boring year. p.s. I didn't know you too are Arsenal fan.

Posted in 2009 Highlights

Browse Comments

Work and Books

Analog Essential PHP Security HTTP Developers Handbook