Do I need to htmlspecialchars() user input in an HTML form to prevent XSS?
Question
Apologies if this has been asked before - but in this case I feel there is an overload of information out there, rather than too little. There also appears to be conflicting opinions everywhere I look. Any clarification would be much appreciated.
I have a user sign-up form. I have validated the different fields, but I haven't used any sanitization functions on the data (eg htmlspecialchars) because I read here that it's best to leave that until output (eg on a user profile). I am using PDO prepared statements to insert my data, so I am safe there as far as I know.
However, having run my domain through various vulnerability scanners, they reported that my sign-up form was very unsafe - and could be victim to XSS attacks. I believe the snippet of code causing this is as follows:
<input type="text" placeholder="Username" name="user" maxlength="32" value="<?php echo test_input($user); ?>" pattern="^[a-zA-Z0-9]*$" required>
I am echo-ing that user's input back into the form in case they have an error in another field, so as to re-submit after correction. Therefore potentially harmful script could be echoed into the page.
However, surely this is only the input from that specific user? The only harm they could cause is to themselves? Is the scanner mistaken or am I largely unaware of the risk?
I have fields for general strings, email address, URLs. What steps do I take to ensure safety for visitors to my site?
Thank you very much for any help/clarification you can give me!
EDIT
function test_input($data)
{
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data, ENT_QUOTES | ENT_HTML5, 'UTF-8');
return $data;
}
2 answers
solution1
0 ACCPTED 2017-08-08 12:02:10
Do I need to htmlspecialchars() user input in an HTML form to prevent XSS?
You need something . htmlspecialchars is generally a good choice. It is simple and doesn't destroy the input.
However, surely this is only the input from that specific user?
It is on the input from that specific user's browser .
That user might have visited an evil third party site, that puts an XSS attack as the default value of an input in a form on their site. Then they set the action of the form to your site. Then they submit the form with JS.
Result: Their code is injected into your site by the user's browser, and their JS is executed on your site (with access to the user's cookies and session).
solution2
0 2017-08-08 12:08:05
When inserting any variables into another context, you should also run them through htmlspecialchars() (or noHTML() above) to ensure they don't break out and add extra attributes to the parent element.
This is safe:
<input type="text" name="username" value="<?php echo noHTML($htmlp->purify($_GET['username'])); ?>" />
This, too, is safe against XSS attacks, but still a bad idea:
<?php echo $htmlp->purify("<input type=\"text\" name=\"username\" value=\"".$_GET['username']."\" />"); ?>
As it turns out, context matters a lot for preventing cross-site scripting attacks. What's secure in one context (eg HTML is allowed) could be disastrous in other contexts (eg we're in the middle of an HTML attribute).
Full Source: https://paragonie.com/blog/2015/06/preventing-xss-vulnerabilities-in-php-everything-you-need-know
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.