All geek questions in one place

Is htmlspecialchars () used enough in all situations?

My users can embed anything in my database.

Thus, using a whitelist / blacklist of characters is not an option.

I am not worried about its end of the database (SQL injection), but rather inject the code into my pages.

Are there situations where htmlspecialchars() will not be sufficient to prevent code entry?

+4
source share
4 answers

Normal htmlspecialchars not enough when pasting user text in single quotes. You need to add ENT_QUOTES in this case, and you need to pass the encoding.

 <tag attr='<?php echo htmlspecialchars($usertext);?>'> //dangerous if ENT_QUOTES is not used

When pasting user text in javascript / json as a string, you need additional escaping.

I think it fails for alternating character sets as well. But if you use one of the usual UTF-8 encodings, Latin1, ... it will work as expected.

+2
source

Using htmlspecialchars is sufficient when pasting inside HTML code. The way it encodes characters makes it impossible to β€œtear out” the resulting text. Thus, it cannot create other elements, not script segments, etc.

However, in all other htmlspecialchars situations this will not be automatic enough. For example, when you use it to insert code in any area of ​​JavaScript, for example, when you fill out a JavaScript string, you will need additional methods to ensure security. In this case, addslashes may help.

So, depending on where you paste the resulting text, htmlspecialchars gives you either sufficient security or not. As mentioned in the function name, this simply promises security for HTML.

+2
source

No, this is not enough in all situations. It depends a lot on your codebase. For example, if you use JavaScript to execute certain AJAX queries against a database, sometimes htmlspecialchars() will not be enough (depending on where you use it). If you want to protect cookies from JavaScript XSS, htmlspecialchars() will also not be enough.

The following are examples of when htmlspecialchars() may fail: https://www.owasp.org/index.php/Interpreter_Injection#Why_htmlspecialchars_is_not_always_enough . Your question also depends heavily on which database you use (not everyone uses MySQL). If you are writing a complex applicator, I highly recommend using one of the many frameworks that abstract these annoying little features and let you worry about the application code.

+2
source

htmlspecialchars will be enough. When converting < and > to &lt; and &gt; You can no longer include scripts.

0
source

Source: https://habr.com/ru/post/1380934/

More articles:


All Articles