Will this method prevent from xss

Asked Aug 12 '15 at 21:24

Active Aug 12 '15 at 21:24

Viewed 36 times

friend found an interesting method, that should protect from xss injection.

<?php
$source = @$_GET['htmlsc'];
$source = mb_convert_encoding($source, 'UTF-7');
$source = htmlspecialchars($source); //defaults to ISO-8859-1
header('Content-Type: text/html;charset=UTF-8');
echo '<html><body><img src=' . $source . '></body></html>';
?>

This prevent from using characters such as = # < > ; " I've tried many things, but none worked. The biggest problem is that I'm not allowed to use equal sign. Is there something I missed and XSS is possible? Thanks in advance.

asked Aug 12 '15 at 21:24

Berrigan

2

Doesn't do anything to single quotes. Why not just encode the quotes with the `htmlspecialchars`, `ENT_QUOTES`? – chris85 Aug 12 '15 at 21:31
1

That piece of code looks like it's from this answer: http://stackoverflow.com/a/3117935/404623 – rink.attendant.6 Aug 12 '15 at 21:31
I've been given that code. – Berrigan Aug 12 '15 at 21:34

Will this method prevent from xss

0 Answers0