XSS : Creating a javascript object using PHP's json_encode
Question
Is this 100% safe against XSS? If not, can you please provide example bad string text showing me why it is not.
<html>
<body>
<script>
<?php
$bad = "some bad string. please give example text that makes the below unsafe";
echo "var a = ".json_encode($bad).";";
echo "var b = ".json_encode(array($bad)).";";
?>
</script>
</body>
</html>
Thanks.
2 answers
solution1
4 ACCPTED 2011-05-06 15:26:27
In short, it's safe. Possible XSS would require escaping from the javascript string ( " ) or script ( </script> ). Both strings are properly escaped:
" becomes \"
</script> becomes <\/script>
This is the the part about direct injection. Your application should take in account that some array elements may be missing. Another possibility is that an array element is not the type you would expect (eg, an array instead of a string)
solution2
2 2016-10-25 02:57:09
Definitely not!!!
Don't use json_encode to escape javascript.
for example:
json_encode <img src=# onerror=alert(1)> , this will escape nothing and output to brower. This is a xss.
use htmlspecialchars instead.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.