XSS Exposed - how do I fix them?
Moderator: General Moderators
-
simonmlewis
- DevNet Master
- Posts: 4435
- Joined: Wed Oct 08, 2008 3:39 pm
- Location: United Kingdom
- Contact:
Re: XSS Exposed - how do I fix them?
Does that replace all $search after htmlspecialchars? Or does that script just change what is echoed?
Love PHP. Love CSS. Love learning new tricks too.
All the best from the United Kingdom.
All the best from the United Kingdom.
-
simonmlewis
- DevNet Master
- Posts: 4435
- Joined: Wed Oct 08, 2008 3:39 pm
- Location: United Kingdom
- Contact:
Re: XSS Exposed - how do I fix them?
I kind of assumed you use convert the variable to be "safe" using htmlspecialchars to use anywhere....
Love PHP. Love CSS. Love learning new tricks too.
All the best from the United Kingdom.
All the best from the United Kingdom.
Re: XSS Exposed - how do I fix them?
http://php.net/manual/en/function.htmlspecialchars.php
It returns the converted string. It's generally used when echoing.
It returns the converted string. It's generally used when echoing.
Re: XSS Exposed - how do I fix them?
Your DB doesn't care about markup. Most functions you call won't care either. It's really about preventing the malicious markup from being sent to the browser. Templating languages will often combine htmlspecialchars and echo into a single big of syntax for the sake of convenience.simonmlewis wrote:I kind of assumed you use convert the variable to be "safe" using htmlspecialchars to use anywhere....
PHP
Code: Select all
<p><?= htmlspecialchars($foo); ?></p>Code: Select all
<p>{{ foo }}</p>-
simonmlewis
- DevNet Master
- Posts: 4435
- Joined: Wed Oct 08, 2008 3:39 pm
- Location: United Kingdom
- Contact:
Re: XSS Exposed - how do I fix them?
Sure but for some reason it's finding 88 results, and I cannot see why.
It's not major, but is odd that it would find "anything".... for that result?!
It's not major, but is odd that it would find "anything".... for that result?!
Love PHP. Love CSS. Love learning new tricks too.
All the best from the United Kingdom.
All the best from the United Kingdom.
Re: XSS Exposed - how do I fix them?
Are you calling htmlspecialchars and passing the resultant string to your query? As I said previously, these should be entirely separate concerns and one should not affect the other (another reason separation of concerns is so important, but that's a separate issue). That said, treat it as a separate issue. The filtering is working as expected? Great. DB query yields unexpected results? Look at that in isolation. Echo out the parsed query. Run it in the console. Find out where it's breaking and fix that.