Hi,
Is it secure to assume that invoking strip_tags on each variable that is requested is secure enough.
And I wont need to make htmlentities() on each variable when it goes to html content.
That said I want to mention that no html of any sort is expected as user input.
Can anyone think of XSS attack even if strip_tags is invoke on incoming data (hence data is validated as to..no html is expected.)?
strip_tags. XSS attacks question
Moderator: General Moderators
Re: strip_tags. XSS attacks question
jmut wrote:Is it secure to assume that invoking strip_tags on each variable that is requested is secure enough.
It depends. Just take a look at http://ha.ckers.org/xss.html.jmut wrote:Can anyone think of XSS attack even if strip_tags is invoke on incoming data (hence data is validated as to..no html is expected.)?
If you inject something like this i.e as a image filename, your site is vulnerable, even with htmlentities():
Code: Select all
javascript:alert('XSS');Code: Select all
[quote="jmut"]
And I wont need to make htmlentities() on each variable when it goes to html content.
[/quote]
You should always use htmlentities() oder htmlspecialchars() for your HTML output. Your userinput could contain a quote ("), a > or a &. This could break your site.If you have user input inserted in the middle of a tag, like _ca_ said, the attack vector will not contain any tags OR quotes.
This (or htmlspecialchars) is the correct usage, don't forget the quotes and the encoding settings (replace utf-8 with your encoding if its different).
The example given by _ca_ will be safe with correct usage of htmlentities, as it relies on quotes, but this one won't be:
This will work in fairly limited cases (AFAIK), so you have to be aware of them and just not write code like the above IMG tag.
Code: Select all
$string = htmlentities($string, ENT_QUOTES, 'UTF-8');The example given by _ca_ will be safe with correct usage of htmlentities, as it relies on quotes, but this one won't be:
Code: Select all
//vulnerable
$string = 'javascript:alert(String.fromCharCode(88,83,83))'; //should be a colon after "javascript"
$string = htmlentities($string, ENT_QUOTES, 'UTF-8');
echo "<IMG SRC='$string'>";