PHP escape XSS in variable path

Asked Oct 12 '18 at 12:09

Active Oct 12 '18 at 12:25

Viewed 30 times

i have some trouble with a little XSS.

This is my PHP/JS Code:

$('#fileTree').fileTree({
    path: '<?php echo $path; ?>/',
    script: 'something.php',
    expandedFolders: ['data'],
    multiFolder: true,
},
    function (file) {
        alert(file);
    }
);

First of all, i know this is vulnerable to XSS.

the code works well if $path doesnt contain special characters. in my case, $path contains '/somedir/customers/hi'all/orders/'.

Here is an example:

$('#fileTree').fileTree({
    path: '/somedir/customers/Hi'All!-e.v/',
    script: 'something.php',
    expandedFolders: ['data'],
    multiFolder: true,
},
    function (file) {
        alert(file);
    }

Normaly i would use htmlspecialchars() to avoid XSS, but here it will convert the "'" to "&#039" and this will break my application, because i use the "path" value on windows/unix directorys.

Anybody here have an idea how i can solve my problem?

edited Oct 12 '18 at 12:25

executable

3,365
6
24
52

asked Oct 12 '18 at 12:09

frTsf3f

Would you be able convert the `'` character to something else, say a pipe `|`, then change it back as required? Might not be suitable for you I guess though. – Adam Oct 12 '18 at 12:11
Or is it not always an `'`? – Adam Oct 12 '18 at 12:12
`addslashes($path)` ? – sietse85 Oct 12 '18 at 12:12

PHP escape XSS in variable path

0 Answers0