0

Hmm.. So I have a form. And I will check if user 'answer' the form using the isset() function. However, will this be vulnerable to XSS Attack?

if (isset($_POST['answer'])) {
    $answer = htmlspecialchars($_POST['answer'], ENT_QUOTES, 'UTF-8');
    // Do other stuffs here using $answer variables..
}
else {
    // Form here
}

When I check for 'isset', I have not 'decode' the $_POST['answer'] with HTMLspecialchars.. will this be vulnerable? I googled it but I can't seem to find any answer..

jacktheking
  • 71
  • 6

4 Answers4

1

XSS enables attackers to inject client-side script into Web pages viewed by other users.

XSS attack is possible when you echoing (or printing, or ...) something. This code does not output anything to browser, so, provided code is not vulnerable.

sectus
  • 15,605
  • 5
  • 55
  • 97
  • Someone can still take advantage of this code (if it omitted the `htmlspecialchars`) by creating a form which has some XSS code POSTing through to the askers page. – Scopey Dec 12 '14 at 02:38
  • @Scopey , I do not know what author going to do with $answer. May be he what to show it with android client where `htmlspecialchars` could corrupt text. Or output it with CLI. You have to use `htmlspecialchars` when you trying to show something in browser. – sectus Dec 12 '14 at 02:41
  • Agreed. I misunderstood your answer. – Scopey Dec 12 '14 at 02:43
1

XSS attacks, SQL injection attacks and many related problems occur when arbitrary values are evaluated in a specific context according to certain rules, and not enough care is applied to make sure the input values do not trigger unwanted rules and side effects.

What does that mean in concrete terms? For example:

<script src="foo/bar.js"></script>

This snippet of text triggers certain actions when evaluated as HTML. It does not do anything when you evaluate it as plain text, or when you store it in a database, or when you print it onto a piece of paper.

If one of your users submits this kind of value in a form, it's just text and doesn't hurt anyone. It will only start to "do" something if you put this into HTML and let the browser evaluate it. That is an XSS attack.

Just doing if (isset($_POST['answer'])) does not do anything with the text as such. It does not evaluate the text's value. All it does is check for the existence of an array index. You can even safely do substr($_POST['answer'], 10) or any other possible text operation, nothing will parse and evaluate the string with HTML rules.

When you do need to embed text in text and have it evaluated, such as dynamically creating HTML output or SQL queries, you need to ensure arbitrary user input is properly escaped so as not to trigger unwanted special rules. (Or other equivalent methods to prevent accidental evaluation of the text, such as parameterised queries in case of SQL.) See for example How can I prevent SQL injection in PHP? and The Great Escapism (Or: What You Need To Know To Work With Text Within Text) for in depth details.

Community
  • 1
  • 1
deceze
  • 510,633
  • 85
  • 743
  • 889
0

XSS attacks are usually protected from by correctly handling user content on output. The safest way is to use strip_tags or the htmlspecialchars code that you have there.

In short, that is sufficient.

You can do your escaping just before output though, if that's more convenient for you. The attempted XSS will not affect your PHP code at all.

Scopey
  • 6,269
  • 1
  • 22
  • 34
0

isset will just check to see if there's an index called "answer" in the $_POST array. An XSS attack can't affect it.

Josiah Keller
  • 3,635
  • 3
  • 23
  • 35