Is addlashes () safe to prevent XSS in the HTML attribute?

Question

Is addlashes () safe to prevent XSS in the HTML attribute?

I need to work on an old web application left by a previous developer. It uses addlashes () to prevent XSS over the HTTML attribute.

Here is an example:

<?php // all $_POST vars are put through addslashes() echo "<input type='hidden' value='" . $_POST['id'] . "' />"; ?>

Is it vulnerable to XSS? Is there a javascript method that can be run in the value attribute, for example, in the src attribute, for example, src = 'javascript: alert (99)'. Or can the value attribute be broken, and then script tags can be inserted?

Edit: Thanks to Quentin, I find him vulnerable.

+4

javascript security php xss

MrCode Dec 02 '11 at 8:45

source share

2 answers

addslashes() not suitable for this task. Use htmlspecialchars() or htmlentities() , for example

 <input type="hidden" value="<?php echo htmlspecialchars($_POST['id'], ENT_QUOTES, 'UTF-8') ?>">

+3

Phil Dec 02 '11 at 8:46

source share

Quentin · Accepted Answer · 2011-12-02T08:48:28+0000

Is addlashes () safe to prevent XSS in the HTML attribute?

It is very inefficient.

Is it vulnerable to XSS?

Yes.

Is there a javascript method that can be executed in the value attribute, for example, in the src attribute, for example src = 'javascript: alert (99)'.

No

Or can the value attribute be broken, and then script tags can be inserted?

The data just needs to include, " and the attribute is broken.

Use htmlspecialchars when you want to insert an arbitrary string into an attribute value.

Is addlashes () safe to prevent XSS in the HTML attribute?

More articles: