I was asking myself about the security of using the php function htmlentities() against XSS attacks, and maybe of related functions such as htmlspecialchars.
thanks a lot :)
Asked
Active
Viewed 7,631 times
3 Answers
8
You will need to explicitly specify proper encoding (e.g: utf-8), Chris had a post on how to inject code even calling htmlentities without appropriate encoding.
Jay Zeng
- 1,423
- 10
- 10
-
Thanks a lot that is exactly the kind of proof i was looking for :) i have to study encoding issues. Do you know some good documentation about that? – fat Dec 11 '09 at 23:07
-
1I encourage you to read a real world example of Gmail contact xss, and reading the exploit, which is downloadable in the below post, will hopefully give you some ideas of how to write secure code: http://uneasysilence.com/archive/2007/01/9025/ And here is a cheat sheet you may find useful: http://openmya.hacker.jp/hasegawa/security/utf7cs.html – Jay Zeng Dec 11 '09 at 23:15
4
It is not bullet-proof, it never saves you 100%. You must remember that when it comes to security, the developer is responsible for it. Languages do provide good deal of security functions and more so it is up to developer how they secure their site whether they use whitelist approach or blacklist approach. If htmlentities was all, frameworks like codeigniter, kohana and more would not have come up with their own great security functions.
The most important thing is to sanitalize and filter any input coming from the user.
Sarfraz
- 377,238
- 77
- 533
- 578
0
No, functions like htmlspecialchars and htmlentities do not protect against all cases of Cross-Site Scripting.
Cases in which these function won’t help are:
- The exploit data does not reach the server (DOM-based XSS).
- The exploit data is not interpreted in an HTML context only and the special characters encoded by these functions are either not required or not the only ones that are special in the corresponding context.
Especially the latter reason is often missed. There are many examples in the OWASP’s XSS Prevention Cheat Sheet for where an injection can happen in an HTML document. But not all require any of the HTML special characters to inject and execute JavaScript code.
