Page 2 of 2
Re: XSS Exposed - how do I fix them?
Posted: Tue Apr 05, 2016 6:56 am
by simonmlewis
Does that replace all $search after htmlspecialchars? Or does that script just change what is echoed?
Re: XSS Exposed - how do I fix them?
Posted: Tue Apr 05, 2016 6:59 am
by simonmlewis
I kind of assumed you use convert the variable to be "safe" using htmlspecialchars to use anywhere....
Re: XSS Exposed - how do I fix them?
Posted: Tue Apr 05, 2016 7:00 am
by Celauran
http://php.net/manual/en/function.htmlspecialchars.php
It returns the converted string. It's generally used when echoing.
Re: XSS Exposed - how do I fix them?
Posted: Tue Apr 05, 2016 7:02 am
by Celauran
simonmlewis wrote:I kind of assumed you use convert the variable to be "safe" using htmlspecialchars to use anywhere....
Your DB doesn't care about markup. Most functions you call won't care either. It's really about preventing the malicious markup from being sent to the browser. Templating languages will often combine htmlspecialchars and echo into a single big of syntax for the sake of convenience.
PHP
Code: Select all
<p><?= htmlspecialchars($foo); ?></p>
Twig
Re: XSS Exposed - how do I fix them?
Posted: Tue Apr 05, 2016 8:01 am
by simonmlewis
Sure but for some reason it's finding 88 results, and I cannot see why.
It's not major, but is odd that it would find "anything".... for that result?!
Re: XSS Exposed - how do I fix them?
Posted: Tue Apr 05, 2016 8:09 am
by Celauran
Are you calling htmlspecialchars and passing the resultant string to your query? As I said previously, these should be entirely separate concerns and one should not affect the other (another reason separation of concerns is so important, but that's a separate issue). That said, treat it as a separate issue. The filtering is working as expected? Great. DB query yields unexpected results? Look at that in isolation. Echo out the parsed query. Run it in the console. Find out where it's breaking and fix that.