About the Author

Chris Shiflett

Hi, I'm Chris, a web developer and a founding member of Analog. I live and work in Brooklyn, NY.

XSS Cheatsheet

I stumbled upon an interesting resource today - the XSS Cheatsheet. This is a really wonderful collection of XSS (cross-site scripting) test cases. If you don't know what XSS is, you might find the following resources helpful:

Christian has developed a script for filtering data specifically for XSS. He also has an example implementation where you can try it out for yourself - maybe someone with some free time can try entering all of the test cases to see if any of them expose a weakness.

About This Post

XSS Cheatsheet was posted on Thu, 27 Jan 2005 at 01:32:31 GMT.

6 Comments

1. Diane's GravatarDiane said:

Was trying the test cases at ha.ckers.org/xss.html and found one that worked. Thought you might be interested:

<IMG STYLE='no\xss:noxss("/*");

xss:ex/*XSS*/pression(alert("XSS"))'>

Fri, 16 Sep 2005 at 20:27:56 GMT Link

2. Chris Shiflett's GravatarChris Shiflett said:

I'll let Christian know. Thanks.

Mon, 19 Sep 2005 at 06:23:00 GMT Link

3. <IMG STYLE='no\xss:noxss("/*");'s Gravatar<IMG STYLE='no\xss:noxss("/*"); said:

jj

Mon, 29 May 2006 at 09:47:47 GMT Link

4. Chris Shiflett's GravatarChris Shiflett said:

He means one that worked on Christian's filter. :-)

Mon, 29 May 2006 at 13:39:11 GMT Link

5. Jhon's GravatarJhon said:

Hi Shiflett!

What chain of filter is you using on this site?

Regards

Jhon

Sat, 09 Jan 2010 at 20:24:45 GMT Link

6. Chris Shiflett's GravatarChris Shiflett said:

Hi Jhon,

I'm using a simple technique I describe in another post:

Allowing HTML and Preventing XSS

Hope that helps!

Fri, 15 Jan 2010 at 02:38:34 GMT Link

Post A Comment

Personal Details and Comment

Style Guide

Line breaks are converted to paragraphs. Also use:

  • <a href="" title="">text</a>1
  • <em>text</em>
  • <blockquote><p>text</p></blockquote>
  • <code>2  <?php  if ($foo) {      $foo = TRUE;  }  ?></code>
  1. Note: <code> can be used inline (e.g. in paragraphs) or in a block as shown. Include whitespace and newlines in blocks.

Please enter Chris (my first name) below. This is a primitive spam prevention technique, and I apologize for the inconvenience.

Preview and Submit

Upcoming Talks

ConFoo

10 - 12 Mar 2010

At Hilton Montréal Bonaventure, Montréal, Canada.

South by Southwest

12 - 16 Mar 2010

At Austin Convention Center, Austin, Texas.

Dutch PHP Conference

10 - 12 Jun 2010

At TBD, Amsterdam, Netherlands.

O'Reilly Open Source Convention

19 - 23 Jul 2010

At Oregon Convention Center, Portland, Oregon.

New Comments

RyanTheGreat wrote:

Well, I'm not Chris, but I will do my best to address the questions raised in the comments by Ian...

Posted in Security Corner: Cross-Site Request Forgeries
Chris Shiflett wrote:

Thanks for the kind words, Simon. I'm glad you liked the tutorial. In case it's helpful, here'...

Posted in Webstock
Chris Shiflett wrote:

Hi Robin, I plan to post something about it, but it's going to be hard to express everything i...

Posted in Webstock
Simon Mahony wrote:

Hi Chris, I really enjoyed your workshop on the Evolution of Security at Webstock. I think I g...

Posted in Webstock
Robin Gorry wrote:

Hi Chris, I was wondering if you were going to post how Webstock went for you this year. I li...

Posted in Webstock

Browse Comments

Work and Books

Analog Essential PHP Security HTTP Developer's Handbook