Is there an XSS injection risk when using json_encode to print javascript variables from PHP?

Asked Jun 13 '22 at 14:45

Active Jun 14 '22 at 13:23

Viewed 103 times

When using json_encode to print variables from PHP to javascript like :

const field = <?= json_encode($_GET['field']) ?>;

Is there any XSS or other injection risk ? These variables won't be used in any SQL related task but javascript only. I don't want the user to be able to pass/execute any JS code through the GET parameter.

EDIT : I can't seem to get a definite answer so I'll try to ask it differently : I want to print $_GET['field'] and be guaranteed that whatever it's contents are, it'll be in the field constant as a string, what's the best way to achieve that ? I'm using json_encode($_GET['field'], JSON_HEX_TAG|JSON_UNESCAPED_UNICODE) at the moment.

edited Jun 14 '22 at 13:23

asked Jun 13 '22 at 14:45

Abderrahim Benmelouka

Does this answer your question? [Is json\_encode Sufficient XSS Protection?](https://stackoverflow.com/questions/12062146/is-json-encode-sufficient-xss-protection) – Sumurai8 Jun 13 '22 at 14:48
@Samurai8 Not really, they say it's not made for protection against XSS attacks, but they don't actually give a concrete example of how they could be exploited. – Abderrahim Benmelouka Jun 13 '22 at 21:31

Is there an XSS injection risk when using json_encode to print javascript variables from PHP?

0 Answers0