I have prevented the 开发者_开发百科word 'script' from submission on my server side php validation and used htmlentities and strip function. Will this safeguard all javascript related attack ?
No, there are so many attack vectors because javascript and markup is interpreted, browsers like to fix user's typos automatically, and some browsers have unsafe proprietary support for javascript in css, etc. you can block "script" but what about "sc ript" (yes some browsers will fix it) or "scrscriptipt"? When your simple validator removes one script it will actually leave another. It needs to be recursive. Also what about onload, onblur, onmove etc? There are so many more obscure hacks: http://ha.ckers.org/xss.html
Additionally, simply being able to get a link or worse an image tag in will allow the user to make your client and others on the page make any arbitrary GET requests including mimicking admin forms (if you incorrectly allow both GET and POST in your inputs) - why do you think Facebook rewrites all posted links to go through their proxy first.
It's too much for one man to keep track of on his own. You should look into an open source lib like this one where people work together on a solution and update when new exploits are found: http://htmlpurifier.org/ (php)
I'm sure other languages have an equivalent.
精彩评论