Im desprete beyond hope, Im almost crying, literally, and want to smash something right now.
Because of this little problem:
(Im writing to you since you seem to sucessfuly make this, and also you are rather experienced in web technologies)
I have a website, and it had problem lately that when someone from hive excluding me wanted to post something on it(it is my little secret project that more and more people know about(like 7 at this point)) cant post, because it says their ip was banned because of attack.
I thought the website is resilient to xss, but apparently not.
Now I am trying to fix it, and Im literally crying from the combination of php awesomeness and html parsing which seems to go bananas.
Basically my problem is that users can write, like Im right here, things into textbox and that gets send into database, and then voila, it gets printed(its issue tracker basically, basic one).
The real bananafest just comes:
My database has this wrote in it: <script>alert("hey"
;</script> which is clearly correctly encoded html xss injection attempt(generated by me of course).
The problem is, that when I print it on the website, even tho the output looks like this:
<td colspan='4' id='issue_message_48'
><pre class='mIssueCom'><div class='wordwrap' id='issue_message_div_48'><script>alert("hey"
;</script></div></pre></td>
the problem is that the browser still thinks this is script tag, and when I go "inspect element", it even shows as such(image), and I am completly desprete as to how to deal with this.
Any advices?
edit: happens on both firefox and chrome, for some damn reason