0

Is htmlspecialchars() a foolproof way of preventing any risk of an XSS attack on HTML element attributes?

For example, in this input element will the use of htmlspecialchars() also encoding quotes ensure total safety?

Logically it would seem so as it would stop any string from breaking out of the context of the value attribute; or is there more that could be done?

<input type="text" value="<?php echo htmlspecialchars($dangerousString, ENT_QUOTES, 'UTF-8'); ?>"
Omar
  • 5
  • 1
Smithy
  • 385
  • 1
  • 5
  • 15
  • What does the value of a text input field have to do with xss protection? – arkascha Oct 17 '14 at 09:40
  • In a situation where form fields are being repopulated with the data a user entered after form validation failed. With no protection a string starting with "> could end the attribute and element. – Smithy Oct 17 '14 at 09:51
  • This is not possible by just entering text into a text input. It would require anipulating the DOM accordingly. And that means the attacker already has scripting access, so it is too late. – arkascha Oct 17 '14 at 09:55
  • 1
    @arkascha — You are missing the point. The text is in the HTTP request. The PHP is reading it and putting it into the HTML. That is how XSS usually works. – Quentin Oct 17 '14 at 10:01
  • Thanks Quentin, that's what I was trying to explain. Is my solution suitable / safe in the given situation? – Smithy Oct 17 '14 at 10:03
  • 1
    @Sam — I think so, but there might be complications from things like the UTF-7 bug so I'm not 100% certain. – Quentin Oct 17 '14 at 10:05

1 Answers1

1

Assuming you're using a modern version of php, htmlspecialchars should do the trick.

It's important to note that you also must provide the same encoding (utf8) for the whole page via headers and meta tags. Otherwise, you're subject to UTF-7 injection.

Also do note, that htmlspecialchars is fine only for attributes like value, that don't interpret javascript. It's not enough for src and friends.

georg
  • 211,518
  • 52
  • 313
  • 390