0

I have this piece of code which is a simple html page.

<?php


    require_once ("include/config.php");
    require_once($home."include/main_pre_body.php");
    require_once($home."pop-ups/email/email_form.php")

?>

<!DOCTYPE html>
<html>

    <head>
    <meta charset="utf-8" />
        <link rel="stylesheet" type="text/css" href="css/style.css" />
        <link rel="stylesheet" type="text/css" href="css/calendar.css" />
        <link rel="stylesheet" type="text/css" href="css/time.css" />
    </head>

    <Title><?php echo $EMAIL_TITLE_TEXT?></Title>

    <!--    Load Email Form Window  -->
    <body onload="OpenEmailWin()" style="margin:0px;">

<?php

    require_once($home."include/main_post_body.php");

?>

    </body>

</html>

I want to prevent all forms of possible xss attacks and i can identify a few but not all.

This is the first line <body onload="OpenEmailWin()" style="margin:0px;"> that i think shall be fixed. I have looked at xss vulnerbilities but the use of < and /> has surprised me the most. I got that from this answer https://stackoverflow.com/a/16126384/492293

Can the use of < and /> make a web page prone to xss attacks and what other parts of the simple page are vulnerable to a posile xss attack?

Thanks.

Gandalf
  • 1
  • 29
  • 94
  • 165
  • What part of that code accepts user input? – Lawrence Cherone Sep 18 '18 at 19:07
  • Possible duplicate of [How to prevent XSS with HTML/PHP?](https://stackoverflow.com/questions/1996122/how-to-prevent-xss-with-html-php) – jwebb Sep 18 '18 at 19:07
  • No part for this page accepts user input. – Gandalf Sep 18 '18 at 19:07
  • 2
    Then its safe from XSS.. :/ – Lawrence Cherone Sep 18 '18 at 19:08
  • I am not getting any user input but preventing-xss-from-within-html-elements prresnets an issue i had not enirely thought of. – Gandalf Sep 18 '18 at 19:09
  • If a user cant edit the output via some param then you dont have a XSS problem, you're trying to fix something which doesn't exist. Show some code which has a XSS problem. – Lawrence Cherone Sep 18 '18 at 19:12
  • Does any of the PHP or Javaacript load data that a user has produced or has write-access to? – Terry Carmen Sep 18 '18 at 19:24
  • @TerryCarmen Nope that does not happen. – Gandalf Sep 18 '18 at 19:29
  • You can use `.htaccess` try `Header always set X-Xss-Protection "1; mode=block"` or setup a CSP https://content-security-policy.com/ –  Sep 18 '18 at 19:39
  • 1
    @Gandalf : If the page includes no user/external data, there's no chance of XSS. – Terry Carmen Sep 18 '18 at 19:43
  • What do you mean by this: " preventing-xss-from-within-html-elements prresnets an issue i had not ". Where does your data come from? – Terry Carmen Sep 18 '18 at 19:49
  • Thanks all. @TerryCarmen Its probably something that i cannot explain fully. My friend has a report done by a vulnerability scanner called Beyondtrust and its very very strict. I have researched on 'preventing xss from within html' nd i have actually found some docs on the matter https://paragonie.com/blog/2015/06/preventing-xss-vulnerabilities-in-php-everything-you-need-know I will look into it further. Thanks. – Gandalf Sep 18 '18 at 19:52
  • @Gandalf Find out exactly what the report is complaining about. If the page loads external resources, it's possible that it's vulnerable, if wherever the resource comes from is vulnerable. At that point, it becomes a judgement call about how trustworthy the included resources are. – Terry Carmen Sep 18 '18 at 19:55

1 Answers1

0

The two functions htmlspecialchars() and htmlentities() are gonna help you. Use these functions while getting data with POST or GET. like shown below:

htmlspecialchars($_POST["example"]);
htmlentities($_POST["example"]);

or

htmlspecialchars($_GET["example"]);
htmlentities($_GET["example"]);
sina maleki
  • 25
  • 5