Outputting a SESSION following user input - protect against xss
Question
I have this code to echo out a username of a user that has just logged in:
echo $_SESSION['user']['username']."
Would I be right in thinking that if I change my code to:
echo htmlspecialchars $_SESSION['user']['username']."
i am protecting myself from low level XSS atleast?
2 answers
solution1
3 2012-04-12 04:52:21
That depends on where you output the username. If it's between html tags, yes. If it's in an html attribute, it depends on the attribute. See the OWASP XSS prevention cheat sheet.
solution2
1 ACCPTED 2012-04-12 08:31:29
The function htmlspecialchars does not encode single quotation(') by default, if your user name echo in an html attribute or inside javascript, there would be XSS!
For example:
<script>
name='$YOUR_NAME_HERE$';
</script>
We can set the user name to ';alert('xss');// So the browser will generate the html content like this
<script>
name='';alert('xss');//';
</script>
And my advice to you is:
echo htmlspecialchars($_SESSION['user']['username'], ENT_QUOTES);
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.