XSS: REQUEST_URI run through htmlspecialchars() - then replacing & with & - enough to prevent XSS injection?
Sijmen Ruwhof made this interesting point that I feel is relevant.
I once used really weird code for escaping urls, but I bet this can be done better, furthermore this does not cover the html specialchars yet, it was just used for saving urls to the database.
I cant really gove you an answer,but what I can give you is a way to a solution, that is you have to find the anglde that you relate to or peaks your interest. A good paper is one that people get drawn into because it reaches them ln some way.As for me WW11 to me, I think of the holocaust and the effect it had on the survivors, their families and those who stood by and did nothing until it was too late.
Related Questions
What more can I do to prevent myself from XSS injection & SQL Injection?
XSS attack to bypass htmlspecialchars() function in value attribute?
Xss attack - regex or htmlspecialchars?
Mysql_real_escape_string(htmlspecialchars( $value )); is enough? how can I easly improve it?
Problem detecting empty REQUEST_URI with Apache mod_rewrite?
Should I still escape? $_GET and XSS, SQL Injection and other PHP Security Concerns?