stackoom
  简体   繁体   中英

Is htmlspecalchars in html value attributes enough to prevent xss?

 原文  2014-10-17 09:33:19       php/ html/ xss

Question

Is htmlspecialchars() a foolproof way of preventing any risk of an XSS attack on HTML element attributes?

For example, in this input element will the use of htmlspecialchars() also encoding quotes ensure total safety?

Logically it would seem so as it would stop any string from breaking out of the context of the value attribute; or is there more that could be done? 

<input type="text" value="<?php echo htmlspecialchars($dangerousString, ENT_QUOTES, 'UTF-8'); ?>"

1 answers

solution1
 1 ACCPTED  2014-10-17 10:17:50

Assuming you're using a modern version of php, htmlspecialchars should do the trick.

It's important to note that you also must provide the same encoding ( utf8 ) for the whole page via headers and meta tags. Otherwise, you're subject to UTF-7 injection .

Also do note, that htmlspecialchars is fine only for attributes like value , that don't interpret javascript. It's not enough for src and friends.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to prevent XSS in attributes Do I need to use htmlentities() in html tag attributes to prevent XSS attacks How to prevent XSS with HTML/PHP? XSS: REQUEST_URI run through htmlspecialchars() - then replacing &amp; with & - enough to prevent XSS injection? How to display quotes in HTML input value attributes without being susceptible to XSS injection? How to output HTML but prevent XSS attacks Is addslashes() safe to prevent XSS in a HTML attribute? Sanitize HTML5 with PHP (prevent XSS) prevent xss but allow all html tags Is this function enough for xss detection?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM