0

For global safely, is it safe to to use htmlspecialchars or striptags when user POST or GET in php ?

for example, htmlspecialchars any post and get that sent by request and save that to the database

8bitcat
  • 2,206
  • 5
  • 30
  • 59
Ata
  • 12,126
  • 19
  • 63
  • 97

2 Answers2

0

For displaying purposes you could just use htmlspecialchars() or htmlentities() to ward of the common XSS attacks.

It is not suggested to strip_tags() the data (unless it is really neccessary) , because that may lose all formatting if the user had provided any.

Shankar Narayana Damodaran
  • 68,075
  • 43
  • 96
  • 126
0

I would do sanity-checks depending on what you're expecting to get.

A good reading (like always) is the OWASP cheat-sheet: https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet#XSS_Cheat_Sheet

If you're expecting plain text, always use htmlspecialchars() when showing it by the web-client. Some template-engines, like Twig, already do that by default. For this case, I wouldn't do any checks when saving to the database, because you may need to encode it differently for another client later - and you expect it to be plain-text, right?

If the user has an RTE and can make use of HTML, I'd use strip_tags() or a method like used in other frameworks. An example is http://svn.openfoundry.org/wowsecmodules/trunk/filter/RemoveXSS.php. TYPO3 also has a pretty good one that you can view by downloading the package and looking into typo3/contrib/RemoveXSS/RemoveXSS.php

A workaround would be to use stuff like BB-Code or Markdown, handled as plain-text, that is later compiled to HTML in your code, but this mostly confuses the editor, if he isn't used to stuff like that.

What I do not recommend at all, but it's possible is to let the browser do the job - see XSS Basic Understanding

EDIT:

The two libs, I linked here for removing XSS from HTML-data, are both based on the same one, but have been forked into different projects and the communities applied fixes and so on. The goal of this method is like yours, even so I do not support it, because it sounds like a one-size-fits-all solution:

 Usage: Run *every* variable passed in through it.
 * The goal of this function is to be a generic function that can be used to
 * parse almost any input and render it XSS safe. ...

Why I am against running this method on every input-variable? You do not think about what you really want to get. Maybe you just want plain-text ... In this case, as I wrote earlier here, you don't need to do that, but just use htmlspecialchars() when showing it in an HTML context.

Community
  • 1
  • 1
SimonSimCity
  • 6,415
  • 3
  • 39
  • 52