I’m going through my site and doing a security audit. I’ve simply accepted the fact that I need to sanitize ALL user input, but I’ve never really stopped and experimented with what’s really going on. I’m starting to experiment now.
I have a typical contact form on a PHP page. It’s _POSTing data. $_POST["first_name"]; etc.
I do this $firstName = htmlspecialchars($_POST["first_name"]); to sanitize and display a message like the one below.
echo $firstName . ', thank you for your interest. We'll be in touch soon!'
I started to play with this and if I enter something such as <script>alert('hello')</script> in the first name field, htmlspecialchars does it’s job and coverts the tags.
When I remove htmlspecialchars the script doesn’t get converted and it displays in the source as <script>alert('hello')</script> BUT, it does not execute.
My question is, why doesn’t this execute? Isn’t this basically what an XSS attack would do? Am I misunderstanding something?
When I tried this in Chrome I saw an error in the console:
So it’s possible modern browsers do this check to prevent it. You should continue to sanitize your input regardless of course, but check your console and you will probably see this.