Home/ Questions/Q 6892049
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-27T06:29:09+00:00

I’m having to work on an old web app that a previous developer left.

  • 0

I’m having to work on an old web app that a previous developer left. It is using addslashes() to prevent XSS on a HTTML attribute.

Here is an example:

<?php
  // all $_POST vars are put through addslashes()

  echo "<input type='hidden' value='" . $_POST['id'] . "' />";
?>

Is this vulnerable to XSS? Is there any way javascript can run in a value attribute like it can in an src attribute for example, src=’javascript:alert(99)’. Or can the value attribute be broken out of and then script tags can be inserted?

Edit: Thanks to Quentin, I believe it is vulnerable.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Is addslashes() safe to prevent XSS in a HTML attribute?

    It is highly ineffective.

    Is this vulnerable to XSS?

    Yes.

    Is there any way javascript can run in a value attribute like it can in an src attribute for example, src=’javascript:alert(99)’.

    No

    Or can the value attribute be broken out of and then script tags can be inserted?

    The data just has to include a " and the attribute is broken out of.

    Use htmlspecialchars when you want to insert an arbitrary string into an attribute value.

    • 0