Does urlencode() protect against XSS
Question
$address and $cityState is user provided, stored in a DB, and available for others to view as shown below. Is there risk of XSS ? Should htmlspecialchars() also be used on it?
<img src="http://maps.google.com/maps/api/staticmap?markers=color:blue|<?php echo(urlencode($address.' '.$cityState));?>&zoom=14&size=400x400&sensor=false" alt="Map" />
3 answers
solution1
7 2013-05-02 12:43:40
Yes, htmlspecialchars should also be used - you're first encoding the URL to be URL-safe, and then you're building it into an HTML-attribute, which 'requires' the HTML-style escaping.
After using both encodings it's no longer possible to inject arbitrary code on your end of the scale, so if any risks remain they're on Google's end. As such you can then consider this code safe.
solution2
3 ACCPTED 2013-05-02 12:57:10
There is no magic wand PHP function what will protect you from all. Every protection is 100% safe till day it hacked. You just need to understand from where and how your site can be hacked and improve your protection every day.
You can get some interesting tips from article about XSS prevention .
Also from php.net urlencode documentation :
<?php
$query_string = 'foo=' . urlencode($foo) . '&bar=' . urlencode($bar);
echo '<a href="mycgi?' . htmlentities($query_string) . '">';
?>
solution3
0 2013-05-02 12:44:20
urlencode() should not be used for protection from XSS. htmlspecialchars() is the way to go, but you are never safe.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.