I'm building an application that retrieve any type of user input, even if the user put an xss injection code. Beside that i'm providing an admin view to show the full content of what the user put, either they put html code, bb code, xss, javascript, etc(something like for analysis purpose).
I'm thinking that htmlentities($data, ENT_QUOTES) is enough for that, but after reading https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet it makes me more confused.
I don't want to remove any tag or script, i just want to display it in html with escaping. Is save if i put it on textarea tag ? I mean if the data is containing xss it would not executed if in text are ?
<textarea name="comment" rows="30" cols="100"><?php echo htmlentities($data, ENT_QUOTES); ?></textarea>
or there is any secure way to display xss on the browser but the xss it self not executed.
sorry for my bad english.
Thanks
The code you have posted is prone to XSS if your admin opens specially crafted user input the attacker can gain administrative privileges to that page. Placing user code within textarea or any other tag does not protect from XSS attacks. All the hacker has to do is close textarea tag in his input and do whatever he wants to.
I'm glad that you found owasp cheet sheet :) it's very usefull you should follow it. Remeber to escape all user input that is placed on the page.
I would recomend using htmlspecialchars and then do some tests with: tags presented here. If you won't see an JS alert then your application is to some extent protected from xss attacks.
Related
XSS
can you help me with thid cross site scripting i am new in this
Cross-site scripting is a code injection attack.
The problem is that the user (or someone else) enters a script instead of some input value. For example, a user puts a "<script>" tag in her comment.
If you then display a list of comments, that script will be executed for anyone visiting that page.
What you need to do is sanitize the outputs, that is, remove or escape all html code that you're writing on a page. That way, the <script> tag will be replaced with <script>, and it will become harmless while looking exactly the same.
I have been referring to a certain website about how htmlspecialchars is used to prevent malicious code injection, but I am now more confused than before. Assume that a hacker enters the following into a textbox:
<a href="http://nastywebsite.com">Nasty Website</a>
(If the above entities are decoded, they will read: Nasty Website)
Let's assume that the hacker has inserted the above code into the FIRST_NAME textbox of an online survey, so the malicious code will be associated with the 'first_name' attribute. And let's say the owner of this online survey wants to protect against HTML injection by having the following code:
<?php
$first_name = $_POST['first_name'];
$first_name = htmlspecialchars( $first_name );
echo $first_name;
?>
This is where I get confused. The hyperlink that will be echoed (as I understand it) is "Nasty Website". That means that an innocent user can still click on that hyperlink and he will unsuspectingly download malicious software on to his device. So what is the point of the htmlspecialchars function?? Surely if the string was filtered by the htmlspecialchars function, as the above code suggests, the user would have seen the harmless text:
<a href="http://nastywebsite.com">Nasty Website</a>
instead of the hyperlink. And if the user DID see the entities instead of the hyperlink, he would not have been able to download malicious codes. I don't get it. Does the user see the ENTITY or the HYPERLINK?
If you don't escape your string, the user will see:
Nasty Website
If you escape, this is what he will see:
Nasty Website
Html renderers decode entities as characters and do not interpret them as valid tags.
If you want to not allow html tags in your inputs you can use strip_tags.
I'd need to load an user given URL and display a div with my content after the content of the user given website.
Implementing this would be trivial:
$c = file_get_contents($url);
echo $c . $myDivCode;
However, wouldn't this open my server to all kinds of security issues, such as XSS?
If so, what would be the best way to handle this taking into account I would like to be able to display the content of the user given URL as well as possible (i.e. run all the safe scripts).
The best way probably would be to display site in an iframe like that:
echo "<iframe src=\"$url\"></iframe>";
This way user loads the page directly from the url, without your server proxying it.
However, since you're displaying information from another site, your site will always be vulnerable to XSS unless you remove scripts and HTML completely.
Of course you are opened to xss exploits.
To prevent from XSS attacks, you just have to check and validate / escape properly all data, dont allow html or javascript code to be inserted from that url.
Use htmlspecialchars() to convert HTML characters into HTML entities. So characters like <> that mark the beginning/end of a tag are turned into html entities and you can use strip_tags() to only allow some tags as the function does not strip out harmful attributes like the onclick or onload.
I have a script that registers users based on their user input. This uses prepared statements plus whitelists to prevent sql injection. But I am struggling to understand the prevention of XSS.
From what I understand, you only need to prevent XSS if you are outputting HTML onto the page? What does this mean???
Im guessing that with this register page it doesn't apply because I am not outputting HTML to the web page? Is that right?
If I was to prevent XSS, do I use htmlspecialchars?
Generally correct, if you are having any returned values show up on the page, or if you are inserting information into the database for later retrieval and display (like user profile information) you will want to use htmlspecialchars.
For me, when I do my user registration, if they fail to enter a correct value in an input field, I redisplay the page with the values they entered. In this case, I have it encoded with htmlspecialchars.
If at any point ever, you plan on redisplaying the information from the DB into a webpage (as mentioned with profiles and the like) you should use htmlspecialchars.
Better safe than sorry I always say - never trust user input
Basically, XSS happens when you are taking the user's input un-sanitized and display in your webpage.
For example: A user inputs
<script>alert('hello you are hacked');</script>
In a text box, and you show this in your webpage after it is registered like
Hello, $username
This suddenly gets turned into
Hello, <script>alert('hello you are hacked');</script>
This is one of the form of XSS
One of a effiecient way to prevent XSS is like this
echo htmlspecialchars($varname, ENT_QUOTES, 'UTF-8');
From what I understand, you only need to prevent XSS if you are
outputting HTML onto the page? What does this mean???
XSS is an attack carried out by the server outputting HTML (in practice, Javascript) to the client when it did not mean to do so (and obviously when that HTML was specially crafted and supplied by a hostile user).
Im guessing that with this register page it doesn't apply because I am
not outputting HTML to the web page? Is that right?
If you are not outputting anything that comes from user input you are safe.
If I was to prevent XSS, do I use htmlspecialchars?
Yes, that is sufficient.
I am looking for a way or function that will allow me to display data from my mySQL database. The users are allowed to post articles, that I use mysql_real_escape_string to avoid SQL injections before inserting their post in the DB.
For my testing pursposes I write in a text area my post with tags like <b> <a> <i> <li>.
Later I will use an editor like this one here on Stackoverflow to help users with their posts.
However, I am aware of XSS and just echoing straight from the DB may lead to XSS attacks. So, I choosed for my tests to output the content with htmlentities or htmlspecialchars. None of them will show me the post correctly with html.
Therefore, I used strip tags but as far as I know and read, is not safe.
What is a function that you may use too, that will let me output the data correctly, just like this and prevent XSS?
If you want to display html correctly you should print plain html as you get it.
But for avoiding XSS try to remove javascript tags and don't allow load images from external resources.