XSS from the url

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

XSS from the url

Post by social_experiment »

I did a test on an existing website with the following code for a query string page.php?id=Value<script type="text/javascript">alert('XSS')</script>. Not suprisingly it displays the alert. However, in the php code, i have the following

Code: Select all

<?php
 $value = $_GET['id'];
 // before i use it in the query
 $cleanValue = trim(htmlentities($value, ENT_QUOTES));
?>
Yet even with this, the alert message is still displayed when i load the page.

What am i missing?
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
User avatar
twinedev
Forum Regular
Posts: 984
Joined: Tue Sep 28, 2010 11:41 am
Location: Columbus, Ohio

Re: XSS from the url

Post by twinedev »

what is the code where you are displaying $cleanValue?
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: XSS from the url

Post by social_experiment »

That's my problem then, the results don't use htmlentities() when i display them back to the browser 8O
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
User avatar
twinedev
Forum Regular
Posts: 984
Joined: Tue Sep 28, 2010 11:41 am
Location: Columbus, Ohio

Re: XSS from the url

Post by twinedev »

Do you have any place on the page that echos out $_SERVER['PHP_SELF'] as that will also give the full URL.
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: XSS from the url

Post by social_experiment »

No but when i enter it in the URL i assume it is parsed as part of $_GET['id']; that value is displayed elsewhere on the page
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
Post Reply