html Injection

How can i prevent html injection? Somebody changed the h2 tag text in my website. When i refresh everythings was normal, is an apache configuration issue, help please.

click

3 years ago

Level 35

"Somebody changed the h2 tag text in my website"

"When i refresh everythings was normal"

How did you know the h2 tag was changed? HTML injection can happen in many ways but in general:

Never trust user input. If you escape your variables with blade {{ $var }} you are already protected for most of the cases. But there can always be a hole.
If you use javascript and insert variables from something, never use yourElement.innerHTML = someUserData; If you are not sure what the variable someUserData contains.
If someone has access to your server they can just changed your html

Some Resources:

jesusoberdan

3 years ago

Level 7

@click Thanks, im going to read the links. I enter to the url and a tag tha display a text A was changed to B. Im new on this.

Sinnbeck

3 years ago

Level 102

@jesusoberdan you can easily change the html if have access to the browser. Right click -> inspect element. Right click the html and click Edit. Now change some stuff and click outside the edit window to save. Hit f12 to close the dev tools. You can do this on all web sites

jlrdw

3 years ago

Level 75

@jesusoberdan you need to take some security tutorials. That's why validation and strip_tags and CSRF is so helpful.

But mainly not only authentication but authorization in an application. All these properly implemented secure an app.

And learning this stuff in not a day or two, but to really learn it, you practice it. It can take months to learn if new to it.

And do read and study the links given above, the owasp site has a lot of good stuff.

1 like

Please or to participate in this conversation.