apurvagupta/xss.php

## xss.php
Solutions:

//Solution #1 : Validation Code snippet:

<?php if (preg_match('/^[ A-Za-z0-9_@.#&-]*$/', $_GET['query'])) { ?>
    <div class="column prepend-1 span-24 first last">
        <h2>Pictures that are tagged as '<?= $_GET['query']  ?>'</h2>

        <?php thumbnail_pic_list($pictures); ?>
    </div>
<?php } else { ?>
    <div class="column prepend-1 span-21 first last">
        <h3 class="error">Not Valid Format</h3>
    </div>
<?php } ?>

//Solution #2 : Escape the html tags:

$guest["comment"] = htmlspecialchars($guest["comment"], ENT_QUOTES);

//Solution #3 : Whitelisted html tags:

$guest["comment"] = strip_tags($guest["comment"], '<b><img>');

//Solution #4 : Replacing the onload with onlaad:

if(stripos($guest["comment"],"onload") > 0){
    $guest["comment"]= str_ireplace("onload","onlaad", $guest["comment"]);
}
	Solutions:

	//Solution #1 : Validation Code snippet:

	<?php if (preg_match('/^[ A-Za-z0-9_@.#&-]*$/', $_GET['query'])) { ?>
	<div class="column prepend-1 span-24 first last">
	<h2>Pictures that are tagged as '<?= $_GET['query'] ?>'</h2>

	<?php thumbnail_pic_list($pictures); ?>
	</div>
	<?php } else { ?>
	<div class="column prepend-1 span-21 first last">
	<h3 class="error">Not Valid Format</h3>
	</div>
	<?php } ?>

	//Solution #2 : Escape the html tags:

	$guest["comment"] = htmlspecialchars($guest["comment"], ENT_QUOTES);

	//Solution #3 : Whitelisted html tags:

	$guest["comment"] = strip_tags($guest["comment"], '<b><img>');

	//Solution #4 : Replacing the onload with onlaad:

	if(stripos($guest["comment"],"onload") > 0){
	$guest["comment"]= str_ireplace("onload","onlaad", $guest["comment"]);
	}