0

Ok so i've learned a bit of PHP and tried making a simple application but i am not sure is my webpage secure from xss and other such attacks .

My PHP CODE 

<?php 
$title=$keywords=$description="";
$valid_er="";


if($_SERVER["REQUEST_METHOD"] == "POST"){

if(empty($_POST['title'])){

$valid_er="has-error";
}

else{
$title="&lt;title&gt;".test($_POST["title"])."&lt;title&gt;";
}


$keywords='&lt;meta name="keywords" content="'.test($_POST["keywords"]).'" /&gt;';
$description='&lt;meta name="description" content="'.test($_POST['description']).'" /&gt;';

}

function test($ci){

$ci=htmlentities($ci);
$ci=stripcslashes($ci);
return $ci;
}


?>

And MY HTML FORM

<form method='post' class='form-group' action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">
<label> Your Title  </label> <input placeholder="Your websites title" type="text" name="title" class='form-control' class='form-group-item'/></br>
<label> Keywords </label> <input placeholder="Your keywords separated by comma " type="text" name="keywords" class='form-control' class='form-group-item'/></br>
<label>Description </label> <textarea  placeholder="A nice description about your website;" name="description" class='form-control'></textarea></br>
<input type="submit" class='btn btn-info'>

    </form>

I just wanted to know am i vulnerable to cross site scripting , because i don't think only using

htmlspecialchars()

will protect me .

aynber
  • 22,380
  • 8
  • 50
  • 63
Wasim Ahmad
  • 409
  • 3
  • 14
  • See http://stackoverflow.com/questions/1996122/how-to-prevent-xss-with-html-php – christophetd Apr 12 '15 at 12:14
  • if you can tell me is my code secured , it will be really helpful – Wasim Ahmad Apr 12 '15 at 12:17
  • You don't need to use stripcslashes to escape HTML. htmlspecialchars is enough. Also, when you write HTML in your PHP code, you shouldn't use escaped characters such as `<`, because they will be printed in the browser instead of being interpreted. Basically : when YOU write HTML, write it normally ; when you display something coming from an user input, use htmlspecialchars. Does this help? – christophetd Apr 12 '15 at 12:20
  • actually i had earlier made the same code for adding the value of name therefore as name doesn't contain slashes i did all that but i used the same code . And i am using < because i want to display "<" . Your reply really helped thank you. – Wasim Ahmad Apr 12 '15 at 13:00

1 Answers1

1

I just wanted to know am i vulnerable to cross site scripting

No, you are not, and just using htmlspecialchars will protect you against XSS in most cases (if you use double quotes around attributes and follow the rules in my last paragraph).

You don't need to use stripcslashes, and you don't need to encode your own <, etc.

Do note however that htmlspecialchars does not encode a single quote (') by default. I mention this because for your form tag, you mainly use single quotes, and just double quotes for the action,which is a really good idea, as otherwise your code would be vulnerable to XSS. To avoid this problem, you can use htmlspecialchars($string, ENT_QUOTES, 'UTF-8');, with which single quotes would also be encoded. You still can't just omit using any quotes (if you do that, preventing XSS becomes a lot more complicated, as you would need to escape all characters with which you can break out of that context, which include space, +, etc), but with this, you can use double or single quotes and be safe.

For more information, check out this site about XSS prevention (it tells you where this kind of encoding is not enough; you should never put user input inside <script>, <style>, HTML comments, attribute names, or tag names).

tim
  • 1,999
  • 17
  • 32
  • thank you for your help , i will surely implement all your tips . – Wasim Ahmad Apr 12 '15 at 14:02
  • 1
    Why is `htmlentities` recommended over `htmlspecialchars`? And `htmlspecialchars` *does* replace the double quote `"` by default, it’s the single quote `'` that isn’t replaced by default. – Gumbo Apr 12 '15 at 14:45
  • @Gumbo thanks, you are of course right about the quotes. And I take back what I said about `htmlentities`, it doesn't offer anything that `htmlspecialchars` doesn't offer (regarding XSS). – tim Apr 12 '15 at 15:09