htmlspecialchars中断json_decode

Question

To prevent XSS attack, i have used below code.

/* To prevent XSS Attack */
    public function __construct($id,$module=null) {
        $_GET = $this->clean($_GET);
        $_POST = $this->clean($_POST);
        $_REQUEST = $this->clean($_REQUEST);

        //Call parent constuct
        parent::__construct($id,$module=null);
    }

    /* To prevent XSS Attack */
    protected function clean($data) {
        if (is_array($data)) {
             foreach ($data as $key => $value) {
                unset($data[$key]);
                $data[$this->clean($key)] = $this->clean($value);
            }
        } else {
            $data = htmlspecialchars($data, ENT_COMPAT, 'UTF-8');
        }
        return $data;
   }

It will clean every get, post requests. It's working fine.

But now it creates the problem, in code there is lots of place where i am using json_decode.
example: in one place i have a json_encoded post variable, to decode it i have to use below code:

 $objclass->fields = json_decode(html_entity_decode($_POST['fields'], ENT_QUOTES, 'UTF-8'),true);

If i simply use json_decode($_POST['fields'],true); then it will fail because $_POST['fields'] data is encrypted using htmlspecialchars.

So is there a way to so json_decode will work directly without having to implement html_entity_decode ?

Answer 1

No, there is no way. If you apply htmlspecialchars() to all request data, you'll have to use html_entity_decode() to get it back in the raw form.

This technique is bad in the same way magic quotes were bad. I recommend against using it. Instead, use a templating engine and escape the individual variables when needed.