Php & javascript warning containing double quote string

Question

Php & javascript warning containing double quote string

This is an example of a line that I should output in javascript alert ();

string with "double quote" in it

Since this line can be edited through PHP by my users, it is better to prevent XSS attacks. To do this in the HTML document of my document, I usually do:

<?php echo( htmlspecialchars( $MY_STRING, ENT_QUOTES, 'UTF-8' ) ); ?>

This works great.

But now I just noticed that if I output the same line in a javascript warning:

<script>
alert( "<?php echo( htmlspecialchars( $MY_STRING, ENT_QUOTES, 'UTF-8' ) ); ?>" );
</script>

Alert output in this case:

string with "double quote" in it

What is the best way to output double quotes as a warning, but also an XSS injection prefix?

+4

javascript string php quotes xss

ipel Aug 22 '16 at 13:07

source share

3 answers

alert( "<?php echo( addslashes( $MY_STRING ) ); ?>" );

addslashes() rahter, htmlspecialchars(), . , .

addslashes() http://php.net/manual/en/function.addslashes.php

0

Eisa Adil 22 . '16 13:16

, XSS, , singlelestring, "

htmlspecialchars, :

<script>
    alert( "<?php echo addslashes($MY_STRING);  ?>" );
 </script>

0

Franklin Rivero 22 . '16 13:17

iyop45 · Accepted Answer · 2016-08-22T13:15:32+0000

ENT_NOQUOTES , "" , addslashes js alert.

$string = 'string<< with "double quote" in it';
echo htmlentities(addslashes($string), ENT_NOQUOTES);

:

string&lt;&lt; with \"double quote\" in it

html

Php & javascript warning containing double quote string

More articles: