Is htmlspecialchars()
a foolproof way of preventing any risk of an XSS
attack on HTML
element attributes?
For example, in this input element will the use of htmlspecialchars()
also encoding quotes ensure total safety?
Logically it would seem so as it would stop any string from breaking out of the context of the value attribute; or is there more that could be done?
<input type="text" value="<?php echo htmlspecialchars($dangerousString, ENT_QUOTES, 'UTF-8'); ?>"
Assuming you're using a modern version of php, htmlspecialchars
should do the trick.
It's important to note that you also must provide the same encoding ( utf8
) for the whole page via headers and meta tags. Otherwise, you're subject to UTF-7 injection .
Also do note, that htmlspecialchars
is fine only for attributes like value
, that don't interpret javascript. It's not enough for src
and friends.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.