Preventing JavaScript Injection

Question

Say i have a form with which user inputs some information and is submited to server using php and in PHP code i have say

$data = $_POST['data'];
// or
$data = strip_tags(@$_POST['data']);

I want to know of the strip_tags() is enough to stop javascript injection through html forms. If not how else can this be prevented. I have read here.
And also say i input javascript:void(document.bgColor="blue") in the browser address bar, this changes the whole site background color to blue. How can javascript injection through the address bar be prevented.

Thanks.

Using the `filter_input()` and `filter_input_array()` functions are typically the better approach. You should completely avoid using the superglobals `$_GET` and `$_POST`, etc, — Octopus, Jul 27 '17 at 19:47
Not even famous websites have that strong protection. Facebook has a good protection, and it still can call function, depending on browser ofc — Djordje Vujicic, Jul 27 '17 at 19:54

score 3 · Answer 1 · answered Jul 27 '17 at 20:00

3

i suggest to use htmlspecialchars when ever you want to output something to browser

echo htmlspecialchars($data, ENT_QUOTES, 'UTF-8');

checkout this

answered Jul 27 '17 at 20:00

Ali Faris

17,754
10
45
70

Thanks you very much. Your answer helped. – diagold Jul 27 '17 at 20:34

score 2 · Answer 2 · answered Jul 27 '17 at 20:04

For question 2, I'm not sure if that's even possible to prevent. It's not something I've ever considered before. It sounds like you're trying to prevent executing any javascript that wasn't included by you on the page, which would also mean blocking the devtools in the browser from executing anything in the console. This could potentially be hostile to your users, e.g. if they wanted to use a bookmarklet from Instapaper.

For 1, ultimately your goal is to avoid including this injected javascript from the form when you generate a new page. When you output the data from the form, you can wrap it in htmlspecialchars.

Thanks you very much. Your answer helped. – diagold Jul 27 '17 at 20:34 — diagold, Jul 27 '17 at 20:34

score 1 · Answer 3 · answered Jul 27 '17 at 19:57

1

It's depend which output you are trying to get.

In some cases , you'll want to leave the HTML tags including script tags ,but you want that those elements will not run when you output them, in that case you should use htmlspecialchars($_POST['data']), (It's suggested to define also utf8 as the third parameter).

But if you want to remove entierly the tags than strip_tags will prevent XSS

answered Jul 27 '17 at 19:57

Nati V

682
4
10
17

Thanks you very much. Your answer helped. – diagold Jul 27 '17 at 20:34

score 1 · Answer 4 · answered Jul 27 '17 at 21:08

One function cannot fully protect you from script injection. Consider the following program:

<?php
if(isset($_POST['height'])) 
  $height=htmlspecialchars($_POST['height'], ENT_QUOTES, 'UTF-8');
else $height=200;
if(isset($_POST['width'])) 
  $height=htmlspecialchars($_POST['width'], ENT_QUOTES, 'UTF-8');
else $width=300;
echo("
<!DOCTYPE html>
<html>
<body>
<iframe src='whatever' height=$height width=$width>
</iframe>
</body>
</html>
");

The input is sanitized, but javascript will still be executed through a simple injection vector like:

300 onload=alert(String.fromCharCode(88)+String.fromCharCode(83)+String.fromCharCode(83))

You still need to quote your attributes or you are vulnerable like this example.

Another semi-common injection vector exists when user input is echoed into javascript comments, and you can inject new lines or close the comment. I blame it on the 'this shit doesn't work as it should, but let's keep it around in a comment'-style of development.

Note: The XSS protection of many browsers will not run my simple example. If you want to try it use one without protection, or find a vector that defeats it (not sure if there is one for e.g. Chrome).

Preventing JavaScript Injection

4 Answers4