Following on from a question I asked about escaping content when building a custom cms I wanted to find out how dangerous not escaping content from the db can be – assume the data ha been filtered/validated prior to insertion in the db.
I know it’s a best practice to escape output but I’m just not sure how easy or even possible it is for someone to ‘inject’ a value into page content that is to be displayed.
For example let’s assume this content with HTML markup is displayed using a simple echo statement:
<p>hello</p>
Admittedly it won’t win any awards as far as content writing goes 😉
My question is can someone alter that for evil purposes assuming filtered/validated prior to db insertion?
If you do not escape your HTML output, one could simply insert scripts into the HTML code of your page – running in the browser of every client that visits your page. It is called Cross-site scripting (XSS).
For example:
In the place of the
alert(), you can use basically anything: access cookies, manipulate the DOM, communicate with other servers, et cetera.Well, this is a very easy way of inserting scripts, and
strip_tagscan protect against this one. But there are hundreds of more sophisticated tricks, thatstrip_tagssimply won’t protect against.If you really want to store and output HTML, HTMLPurifier could be your solution: