Page 1 of 1
strip_tags. XSS attacks question
Posted: Wed Jan 31, 2007 1:28 am
by jmut
Hi,
Is it secure to assume that invoking strip_tags on each variable that is requested is secure enough.
And I wont need to make htmlentities() on each variable when it goes to html content.
That said I want to mention that no html of any sort is expected as user input.
Can anyone think of XSS attack even if strip_tags is invoke on incoming data (hence data is validated as to..no html is expected.)?
Re: strip_tags. XSS attacks question
Posted: Wed Jan 31, 2007 3:41 am
by _ca_
jmut wrote:Is it secure to assume that invoking strip_tags on each variable that is requested is secure enough.
jmut wrote:Can anyone think of XSS attack even if strip_tags is invoke on incoming data (hence data is validated as to..no html is expected.)?
It depends. Just take a look at
http://ha.ckers.org/xss.html.
If you inject something like this i.e as a image filename, your site is vulnerable, even with htmlentities():
Code: Select all
[quote="jmut"]
And I wont need to make htmlentities() on each variable when it goes to html content.
[/quote]
You should always use htmlentities() oder htmlspecialchars() for your HTML output. Your userinput could contain a quote ("), a > or a &. This could break your site.
Posted: Wed Jan 31, 2007 4:26 am
by Mordred
If you have user input inserted in the middle of a tag, like
_ca_ said, the attack vector will not contain any tags OR quotes.
Code: Select all
$string = htmlentities($string, ENT_QUOTES, 'UTF-8');
This (or htmlspecialchars) is the correct usage, don't forget the quotes and the encoding settings (replace utf-8 with your encoding if its different).
The example given by
_ca_ will be safe with correct usage of htmlentities, as it relies on quotes, but this one won't be:
Code: Select all
//vulnerable
$string = 'javascript:alert(String.fromCharCode(88,83,83))'; //should be a colon after "javascript"
$string = htmlentities($string, ENT_QUOTES, 'UTF-8');
echo "<IMG SRC='$string'>";
This will work in fairly limited cases (AFAIK), so you have to be aware of them and just not write code like the above IMG tag.
Posted: Wed Jan 31, 2007 5:56 am
by jmut
Damn, totally forgot about quotes

I have no fileupload so it is not an issue.
Well, it seems even in my specific situation I will have to use htmlentities.
Thanks.