XSS attack in title-tag

Question

I have a form where users can fill in a news article. This contains a title and body. For each page to have a unique title, I'm using the user input (title) in the <title>-tags:

<title>$userinput</title>

I'm wondering - is it possible for the user to perform an XSS-attack this way? Should I escape this user input using htmlspecialchars?

The same also applies to <meta>-tags. I'm using user input for the description:

<meta name="description" content="$userinput" />

Can a user perform XSS-attacks in <title> and <meta>-tags?

As soon as you write unescaped HTML to a webpage, there is a possibility of XSS. — zneak, Jul 31 '11 at 17:51
possible duplicate of [Should I htmlspecialchar() variables inside ?](http://stackoverflow.com/questions/638057/should-i-htmlspecialchar-variables-inside-title-title) — mercator, Jul 31 '11 at 17:56

score 6 · Accepted Answer · edited May 23 '17 at 12:11

6

Should I escape this user input using htmlspecialchars?

Yes. Location doesn't matter. All user input should be escaped.

References:

edited May 23 '17 at 12:11

Community

1
1

answered Jul 31 '11 at 17:48

Mike B

31,886
13
87
111

score 3 · Answer 2 · answered Jul 31 '11 at 17:49

3

He could close any tag first:

</title><script> alert('here I am') </script>

answered Jul 31 '11 at 17:49

Qwerty

1,732
1
13
18

score 0 · Answer 3 · answered Jul 31 '11 at 17:51

0

It is possible to perform an XSS attack that way.

I'd use htmlentities to begin with. Also you might want to consider HTML Purifier. Lastly, you might want to consider PHPIDS. That would be a bit overkill for most situations though...

answered Jul 31 '11 at 17:51

Chris Smith

764
1
9
22

XSS attack in title-tag

3 Answers3