XSS Exposed - how do I fix them?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

simonmlewis
DevNet Master
Posts: 4435
Joined: Wed Oct 08, 2008 3:39 pm
Location: United Kingdom
Contact:

Re: XSS Exposed - how do I fix them?

Post by simonmlewis »

Does that replace all $search after htmlspecialchars? Or does that script just change what is echoed?
Love PHP. Love CSS. Love learning new tricks too.
All the best from the United Kingdom.
simonmlewis
DevNet Master
Posts: 4435
Joined: Wed Oct 08, 2008 3:39 pm
Location: United Kingdom
Contact:

Re: XSS Exposed - how do I fix them?

Post by simonmlewis »

I kind of assumed you use convert the variable to be "safe" using htmlspecialchars to use anywhere....
Love PHP. Love CSS. Love learning new tricks too.
All the best from the United Kingdom.
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: XSS Exposed - how do I fix them?

Post by Celauran »

http://php.net/manual/en/function.htmlspecialchars.php

It returns the converted string. It's generally used when echoing.
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: XSS Exposed - how do I fix them?

Post by Celauran »

simonmlewis wrote:I kind of assumed you use convert the variable to be "safe" using htmlspecialchars to use anywhere....
Your DB doesn't care about markup. Most functions you call won't care either. It's really about preventing the malicious markup from being sent to the browser. Templating languages will often combine htmlspecialchars and echo into a single big of syntax for the sake of convenience.

PHP

Code: Select all

<p><?= htmlspecialchars($foo); ?></p>
Twig

Code: Select all

<p>{{ foo }}</p>
simonmlewis
DevNet Master
Posts: 4435
Joined: Wed Oct 08, 2008 3:39 pm
Location: United Kingdom
Contact:

Re: XSS Exposed - how do I fix them?

Post by simonmlewis »

Sure but for some reason it's finding 88 results, and I cannot see why.
It's not major, but is odd that it would find "anything".... for that result?!
Love PHP. Love CSS. Love learning new tricks too.
All the best from the United Kingdom.
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: XSS Exposed - how do I fix them?

Post by Celauran »

Are you calling htmlspecialchars and passing the resultant string to your query? As I said previously, these should be entirely separate concerns and one should not affect the other (another reason separation of concerns is so important, but that's a separate issue). That said, treat it as a separate issue. The filtering is working as expected? Great. DB query yields unexpected results? Look at that in isolation. Echo out the parsed query. Run it in the console. Find out where it's breaking and fix that.
Post Reply