0

I would like to prevent XSS attack on my website using PHP.

I know that there are 3 functions which could basically prevent this attack, but I'm not sure which one should I use. I have seen other questions about this before, but I didn't get a CLEAR answer for this question.

Which one should I use, which one is the best on your opinion and why?

Exorcist
  • 17
  • 1
  • 2
  • 1
    What questions have you seen, and how were the answers not clear? – Jon May 30 '13 at 11:48
  • Neither. there are better options. [**htmlpurifier**](http://www.htmlpurifier.org) – itachi May 30 '13 at 11:49
  • @itachi: For the record, I consider that a very inferior option. – Jon May 30 '13 at 11:50
  • Someone says that I should use HTMLentities, someone told me to use HTMLspecialchars, someone tells to use stripslashes, I don't really know which one is the best at the moment, to use. – Exorcist May 30 '13 at 11:51
  • @Exorcist: So you ask this question. And then someone else will tell you to do X (actually, itachi *already did that*). How did that improve the situation? Is having heard N+1 opinions better than having heard N? – Jon May 30 '13 at 11:53
  • Becuase of this question I have asked in my first post: "Which one should I use, which one is the best on your opinion and why?" – Exorcist May 30 '13 at 11:54
  • @Jon probably it is if compared to another Y library. but comparing to `Htmlentities OR htmlspecialchars OR stripslashes`, it certainly is better. – itachi May 30 '13 at 11:54
  • Hey guys, that's a valid question and a serious topic. And there are a lot of Myths and Rumors about "preventing attacks" around there so get the questioner helped and don't blame each other on breadcrumbs. – Axel Amthor May 30 '13 at 11:56
  • I don't have much more to add apart from [this](http://stackoverflow.com/q/1996122/50079) and [this](http://stackoverflow.com/questions/129677/whats-the-best-method-for-sanitizing-user-input-with-php). I have no idea how those answers can be considered unclear. – Jon May 30 '13 at 11:58

2 Answers2

2

htmlspecialchars or htmlentities will protect if outputting untrusted data between tags, but will not protect if outputting is in JavaScript event handler.

The way to use this function is something like this:

echo htmlspecialchars($string, ENT_QUOTES, 'UTF-8');

Take a look at the OWASP XSS prevention cheat sheet...

https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet

http://code.google.com/edu/security/index.html#videos

Pank
  • 13,800
  • 10
  • 32
  • 45
0

None of them can prevent an attack. You may only limit the damage!

But using all or just one is not the question, it's about application design and whether its possible to modify requests in a way that the result is going down to the database level.

See this - probably this will give you an idea on complexity of XSS attacks.

Axel Amthor
  • 10,980
  • 1
  • 25
  • 44
  • This is simply not true. – Jon May 30 '13 at 12:00
  • If you're going to sanitize the request values (POST/GET) in order to not have malicious data in it, you're already _AFTER_ an attack and thus do not have prevented it but just dealing with the attack itself. – Axel Amthor May 30 '13 at 12:03
  • You are not going to *sanitize* anything, but instead properly *escape* the input before displaying it. In any case, using your definition of "prevent" there is no attack in the world that can be "prevented". I 'm not sure how that definition is useful. – Jon May 30 '13 at 12:05
  • But that was the question: _I would like to prevent XSS attack on my website using PHP._ And I think we both mean the same: an attack can not be prevented. – Axel Amthor May 30 '13 at 12:07
  • Only with your definition of "prevent" -- not with mine. But let's drop the subject here because it has moved past technology and gotten into philosophy. – Jon May 30 '13 at 12:10