I have an admin section within my site where items can be stored. Once they are stored, they are displayed on the front end. Part of my display involves code like the following:
echo "<p>".$rose['description']."</p>";
Does this need to have htmlspecialchars included into it to protect from xss at a low level?
Yes of course, you should always santize user input before outputting it back to prevent XSS attacks. remember that you should sanitize user input before outputting it and not before saving it to the db, because you don't always need to output html
Related
I'd need to load an user given URL and display a div with my content after the content of the user given website.
Implementing this would be trivial:
$c = file_get_contents($url);
echo $c . $myDivCode;
However, wouldn't this open my server to all kinds of security issues, such as XSS?
If so, what would be the best way to handle this taking into account I would like to be able to display the content of the user given URL as well as possible (i.e. run all the safe scripts).
The best way probably would be to display site in an iframe like that:
echo "<iframe src=\"$url\"></iframe>";
This way user loads the page directly from the url, without your server proxying it.
However, since you're displaying information from another site, your site will always be vulnerable to XSS unless you remove scripts and HTML completely.
Of course you are opened to xss exploits.
To prevent from XSS attacks, you just have to check and validate / escape properly all data, dont allow html or javascript code to be inserted from that url.
Use htmlspecialchars() to convert HTML characters into HTML entities. So characters like <> that mark the beginning/end of a tag are turned into html entities and you can use strip_tags() to only allow some tags as the function does not strip out harmful attributes like the onclick or onload.
I've been setting a div equal to some user inputted data using query $('#div').text(data). The security I had was to pass the data processed first on server side, returning htmlentities(data) etc. I noticed that when the output is displayed, the entities are not decoded. They are decoded if I use jquery html(data) instead.
Since it doesn't appear that the html is rendered for the data in text(data), would it be okay to pass anything to it without first using htmlentities?
What is the proper security setup for this scenario? I read that html(data) was susceptible to some security holes, so that's why I was trying text(data) instead.
I'm building an application that retrieve any type of user input, even if the user put an xss injection code. Beside that i'm providing an admin view to show the full content of what the user put, either they put html code, bb code, xss, javascript, etc(something like for analysis purpose).
I'm thinking that htmlentities($data, ENT_QUOTES) is enough for that, but after reading https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet it makes me more confused.
I don't want to remove any tag or script, i just want to display it in html with escaping. Is save if i put it on textarea tag ? I mean if the data is containing xss it would not executed if in text are ?
<textarea name="comment" rows="30" cols="100"><?php echo htmlentities($data, ENT_QUOTES); ?></textarea>
or there is any secure way to display xss on the browser but the xss it self not executed.
sorry for my bad english.
Thanks
The code you have posted is prone to XSS if your admin opens specially crafted user input the attacker can gain administrative privileges to that page. Placing user code within textarea or any other tag does not protect from XSS attacks. All the hacker has to do is close textarea tag in his input and do whatever he wants to.
I'm glad that you found owasp cheet sheet :) it's very usefull you should follow it. Remeber to escape all user input that is placed on the page.
I would recomend using htmlspecialchars and then do some tests with: tags presented here. If you won't see an JS alert then your application is to some extent protected from xss attacks.
I have a script that registers users based on their user input. This uses prepared statements plus whitelists to prevent sql injection. But I am struggling to understand the prevention of XSS.
From what I understand, you only need to prevent XSS if you are outputting HTML onto the page? What does this mean???
Im guessing that with this register page it doesn't apply because I am not outputting HTML to the web page? Is that right?
If I was to prevent XSS, do I use htmlspecialchars?
Generally correct, if you are having any returned values show up on the page, or if you are inserting information into the database for later retrieval and display (like user profile information) you will want to use htmlspecialchars.
For me, when I do my user registration, if they fail to enter a correct value in an input field, I redisplay the page with the values they entered. In this case, I have it encoded with htmlspecialchars.
If at any point ever, you plan on redisplaying the information from the DB into a webpage (as mentioned with profiles and the like) you should use htmlspecialchars.
Better safe than sorry I always say - never trust user input
Basically, XSS happens when you are taking the user's input un-sanitized and display in your webpage.
For example: A user inputs
<script>alert('hello you are hacked');</script>
In a text box, and you show this in your webpage after it is registered like
Hello, $username
This suddenly gets turned into
Hello, <script>alert('hello you are hacked');</script>
This is one of the form of XSS
One of a effiecient way to prevent XSS is like this
echo htmlspecialchars($varname, ENT_QUOTES, 'UTF-8');
From what I understand, you only need to prevent XSS if you are
outputting HTML onto the page? What does this mean???
XSS is an attack carried out by the server outputting HTML (in practice, Javascript) to the client when it did not mean to do so (and obviously when that HTML was specially crafted and supplied by a hostile user).
Im guessing that with this register page it doesn't apply because I am
not outputting HTML to the web page? Is that right?
If you are not outputting anything that comes from user input you are safe.
If I was to prevent XSS, do I use htmlspecialchars?
Yes, that is sufficient.
I am looking for a way or function that will allow me to display data from my mySQL database. The users are allowed to post articles, that I use mysql_real_escape_string to avoid SQL injections before inserting their post in the DB.
For my testing pursposes I write in a text area my post with tags like <b> <a> <i> <li>.
Later I will use an editor like this one here on Stackoverflow to help users with their posts.
However, I am aware of XSS and just echoing straight from the DB may lead to XSS attacks. So, I choosed for my tests to output the content with htmlentities or htmlspecialchars. None of them will show me the post correctly with html.
Therefore, I used strip tags but as far as I know and read, is not safe.
What is a function that you may use too, that will let me output the data correctly, just like this and prevent XSS?
If you want to display html correctly you should print plain html as you get it.
But for avoiding XSS try to remove javascript tags and don't allow load images from external resources.