I have a script that registers users based on their user input. This uses prepared statements plus whitelists to prevent sql injection. But I am struggling to understand the prevention of XSS.
From what I understand, you only need to prevent XSS if you are outputting HTML onto the page? What does this mean???
Im guessing that with this register page it doesn't apply because I am not outputting HTML to the web page? Is that right?
If I was to prevent XSS, do I use htmlspecialchars?
Generally correct, if you are having any returned values show up on the page, or if you are inserting information into the database for later retrieval and display (like user profile information) you will want to use htmlspecialchars.
For me, when I do my user registration, if they fail to enter a correct value in an input field, I redisplay the page with the values they entered. In this case, I have it encoded with htmlspecialchars.
If at any point ever, you plan on redisplaying the information from the DB into a webpage (as mentioned with profiles and the like) you should use htmlspecialchars.
Better safe than sorry I always say - never trust user input
Basically, XSS happens when you are taking the user's input un-sanitized and display in your webpage.
For example: A user inputs
<script>alert('hello you are hacked');</script>
In a text box, and you show this in your webpage after it is registered like
Hello, $username
This suddenly gets turned into
Hello, <script>alert('hello you are hacked');</script>
This is one of the form of XSS
One of a effiecient way to prevent XSS is like this
echo htmlspecialchars($varname, ENT_QUOTES, 'UTF-8');
From what I understand, you only need to prevent XSS if you are
outputting HTML onto the page? What does this mean???
XSS is an attack carried out by the server outputting HTML (in practice, Javascript) to the client when it did not mean to do so (and obviously when that HTML was specially crafted and supplied by a hostile user).
Im guessing that with this register page it doesn't apply because I am
not outputting HTML to the web page? Is that right?
If you are not outputting anything that comes from user input you are safe.
If I was to prevent XSS, do I use htmlspecialchars?
Yes, that is sufficient.
Related
This question already has answers here:
How to prevent XSS with HTML/PHP?
(9 answers)
Closed 2 years ago.
I need to implement a logic where the user sends some content (it can be just a string but also can be part of HTML markup), we store that info to a database, and at some period of time, we replace the base email template placeholder with that data and sending that email.
And there is a chance that data sent by the user can contain some HTML/XSS injections. How can we efficiently validate the data before storing it to the database???
Against XSS injection you can use htmlspecialchars in general, however, we know that you intend to allow HTML to be sent, so your validation will have to check against the presence of <script. If that's present in your input, then you should render it invalid. Now, there is another way of providing Javascript in HTML, that is, inline Javascript, being the values of onclick, onhover and so on. I would advise to make sure that, if such an event handler is present between the < and > of a tag, then simply render the input invalid.
Now, you have also mentioned HTML injection, that is, some HTML is injected which causes undesirable behavior. However, due to the fact that you welcome HTML in the input, distinguishing between "bad HTML injection" and "good HTML injection" can be decided by:
checking the validity of the html you get
checking against any problems that the HTML might cause in your application
The first criteria is easy to determine, read the link, the second criteria depends on business logic. That HTML might ruin your design, for example, if there are some expectations for it, so you need to lay down the foundations of what you expect in terms of HTML.
And also, since we are speaking about security, make sure you protect your database against SQL injection as well.
I'd need to load an user given URL and display a div with my content after the content of the user given website.
Implementing this would be trivial:
$c = file_get_contents($url);
echo $c . $myDivCode;
However, wouldn't this open my server to all kinds of security issues, such as XSS?
If so, what would be the best way to handle this taking into account I would like to be able to display the content of the user given URL as well as possible (i.e. run all the safe scripts).
The best way probably would be to display site in an iframe like that:
echo "<iframe src=\"$url\"></iframe>";
This way user loads the page directly from the url, without your server proxying it.
However, since you're displaying information from another site, your site will always be vulnerable to XSS unless you remove scripts and HTML completely.
Of course you are opened to xss exploits.
To prevent from XSS attacks, you just have to check and validate / escape properly all data, dont allow html or javascript code to be inserted from that url.
Use htmlspecialchars() to convert HTML characters into HTML entities. So characters like <> that mark the beginning/end of a tag are turned into html entities and you can use strip_tags() to only allow some tags as the function does not strip out harmful attributes like the onclick or onload.
I'm building an application that retrieve any type of user input, even if the user put an xss injection code. Beside that i'm providing an admin view to show the full content of what the user put, either they put html code, bb code, xss, javascript, etc(something like for analysis purpose).
I'm thinking that htmlentities($data, ENT_QUOTES) is enough for that, but after reading https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet it makes me more confused.
I don't want to remove any tag or script, i just want to display it in html with escaping. Is save if i put it on textarea tag ? I mean if the data is containing xss it would not executed if in text are ?
<textarea name="comment" rows="30" cols="100"><?php echo htmlentities($data, ENT_QUOTES); ?></textarea>
or there is any secure way to display xss on the browser but the xss it self not executed.
sorry for my bad english.
Thanks
The code you have posted is prone to XSS if your admin opens specially crafted user input the attacker can gain administrative privileges to that page. Placing user code within textarea or any other tag does not protect from XSS attacks. All the hacker has to do is close textarea tag in his input and do whatever he wants to.
I'm glad that you found owasp cheet sheet :) it's very usefull you should follow it. Remeber to escape all user input that is placed on the page.
I would recomend using htmlspecialchars and then do some tests with: tags presented here. If you won't see an JS alert then your application is to some extent protected from xss attacks.
I have an admin section within my site where items can be stored. Once they are stored, they are displayed on the front end. Part of my display involves code like the following:
echo "<p>".$rose['description']."</p>";
Does this need to have htmlspecialchars included into it to protect from xss at a low level?
Yes of course, you should always santize user input before outputting it back to prevent XSS attacks. remember that you should sanitize user input before outputting it and not before saving it to the db, because you don't always need to output html
I am looking for a way or function that will allow me to display data from my mySQL database. The users are allowed to post articles, that I use mysql_real_escape_string to avoid SQL injections before inserting their post in the DB.
For my testing pursposes I write in a text area my post with tags like <b> <a> <i> <li>.
Later I will use an editor like this one here on Stackoverflow to help users with their posts.
However, I am aware of XSS and just echoing straight from the DB may lead to XSS attacks. So, I choosed for my tests to output the content with htmlentities or htmlspecialchars. None of them will show me the post correctly with html.
Therefore, I used strip tags but as far as I know and read, is not safe.
What is a function that you may use too, that will let me output the data correctly, just like this and prevent XSS?
If you want to display html correctly you should print plain html as you get it.
But for avoiding XSS try to remove javascript tags and don't allow load images from external resources.