strip_tags. XSS attacks question

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
jmut
Forum Regular
Posts: 945
Joined: Tue Jul 05, 2005 3:54 am
Location: Sofia, Bulgaria
Contact:

strip_tags. XSS attacks question

Post by jmut »

Hi,
Is it secure to assume that invoking strip_tags on each variable that is requested is secure enough.
And I wont need to make htmlentities() on each variable when it goes to html content.
That said I want to mention that no html of any sort is expected as user input.
Can anyone think of XSS attack even if strip_tags is invoke on incoming data (hence data is validated as to..no html is expected.)?
_ca_
Forum Newbie
Posts: 12
Joined: Wed Oct 25, 2006 4:38 pm

Re: strip_tags. XSS attacks question

Post by _ca_ »

jmut wrote:Is it secure to assume that invoking strip_tags on each variable that is requested is secure enough.
jmut wrote:Can anyone think of XSS attack even if strip_tags is invoke on incoming data (hence data is validated as to..no html is expected.)?
It depends. Just take a look at http://ha.ckers.org/xss.html.

If you inject something like this i.e as a image filename, your site is vulnerable, even with htmlentities():

Code: Select all

javascript:alert('XSS');

Code: Select all

[quote="jmut"]
And I wont need to make htmlentities()    on each variable when it goes to html content.
[/quote]
You should always use htmlentities() oder htmlspecialchars() for your HTML output. Your userinput could contain a quote ("),  a > or a &. This could break your site.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Post by Mordred »

If you have user input inserted in the middle of a tag, like _ca_ said, the attack vector will not contain any tags OR quotes.

Code: Select all

$string = htmlentities($string, ENT_QUOTES, 'UTF-8');
This (or htmlspecialchars) is the correct usage, don't forget the quotes and the encoding settings (replace utf-8 with your encoding if its different).

The example given by _ca_ will be safe with correct usage of htmlentities, as it relies on quotes, but this one won't be:

Code: Select all

//vulnerable
$string = 'javascript:alert(String.fromCharCode(88,83,83))'; //should be a colon after "javascript"
$string = htmlentities($string, ENT_QUOTES, 'UTF-8');
echo "<IMG SRC='$string'>";
This will work in fairly limited cases (AFAIK), so you have to be aware of them and just not write code like the above IMG tag.
jmut
Forum Regular
Posts: 945
Joined: Tue Jul 05, 2005 3:54 am
Location: Sofia, Bulgaria
Contact:

Post by jmut »

Damn, totally forgot about quotes :)
I have no fileupload so it is not an issue.
Well, it seems even in my specific situation I will have to use htmlentities.
Thanks.
Post Reply