This could be pretty dangerous, but it depends on the attack. You can get around this if you clean and check the user data before you output it to the browser. One of the quickest methods is to use htmlentities [php.net] before outputting the data, but sometimes extra checks on the data before output might be helpful, as well.

This sort of attack is generaly referred to as XSS or cross site scripting. It can be used for all sorts of things, stealing passwords, hijacking users browsers and distrbuting malware. Always sanitise input. And it may not just be javascript, VBscript may be used too.

checking user's input makes sense and can be done while user is on your website and submits a form or post some information etc BUT if someone else has linked my website like www.example.com/page.php?xss-hack then the visitor will click on it and come to my website; then how can I check the URLs etc before the browser spits out my page?

In addition to just sanitizing input, use substring to limit the length of the string. For example if you ask the user for their zip code, it should be 5 characters long, so cut the length of that input at 5 characters $zipcode = substr($zipcode, 0, 5); to make sure that the attackers aren't feeding too much into that field.

you can do data validation when form is submitted on your site, so far so good, i am a little confused how to deal with inbound links which have xss hack in it? e.g some hacker links your site with xss code in it in HEX form so that visitor can click on the link without getting it.. then what will you do? is there any method to block on htaccess level for full domain? because you cant do it this in each and every page of website and even that will not be efficient in my personal opinion.

so my question is how to block it for inbound links.

If your form is posted through GET, to the script the request will look just like a form post so your validation should handle it. If not the GET information won't be used for anything, so it doesn't matter if the XSS attack is there or not. If you are worried about SEO just redirect the user if there is GET information.

so even if they have this #*$! in the GET, if we do not process the variable, it will not affect anything right? or if we validate it correctly- im thinking filtering out all js and html tags we should be good?

If you don't do anything with the variable how is it meant to change the output of the page? As for filtering, you should be. Make sure your filters catch everything though. The only thing I trust is

htmlentities()

in php. There is a good reference here [ha.ckers.org] of attacks.

the XSS hacks not necessarily change your page output; means it is not necessary that you are using a GET variable or not. e.g if I write something like this

www.example.com/login.php?url=''<iframe src="javascript:alert('xss hack')">

it will show the popup in the iframe, try it on your domain, similarly something like

www.example.com/store/xss-hack-code.php

will also work.

How will you block such attacks? this sort of attacks can be used by people to post your website link on their dummy blogs or send emails to people with this hack link. remember, when people do the XSS hack they convert the link to HEX format so it is not easy for the user to realized the code in the URLs. e.g I know that flickr is renown for the photo-sharing so I find an xss hack which shows my site ad and email this link to lots of people or post on famous blogs. when users click they see a false advertisement popup on of my website while they believe it has come out from flickr website.

[edited by: jatar_k at 1:32 pm (utc) on April 1, 2008]
[edit reason] please use example.com [/edit]

I disagree, the iframe itself needs to be shown on the page before the URL "javascript:alert('xss%20hack')" is even seen by the browser. Most XSS really on changing the pages output and injecting a script for the user to run without realiseing it. I tried both of your sujestions, phparion, and both times I got a 404. The only XSS attack that doesn't realy on modifying the pages output (that I know of) is tricking the user into going to a javascript: or vbscript: url. There is nothing you can do to stop this if the user wants to, but you can stop the hacker putting these links on your site with a filter.

How will you block such attacks?

I believe having mod_security installed under Apache can certainly help against XSS attacks. It took me ages to figure out why my site was returning a "403 Not Acceptable" error for certain URLs. The reason: I was using 'site' as a GET param in the URL and mod_security was having none of it!

Attackers tend to target known scripts. If you are using well known scripts then make sure they are up to date!