Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Is htmlspcialchars($user_data) in PHP or h(user_data) in Ruby on Rails good enough for defending all cases of XSS (Cross-site scripting) attacks? What about encoding used or any other possible considerations?
Both
htmlspecialcharsandhescape all characters that may have special meaning in HTML, there is no way that literal HTML may be injected into the target page.However, there are ways to execute (dangerous) Javascript that do not require HTML injection. For example, if you have an application that converts
[img http://example.com/img.jpg]to<img src="http://example.com/img.jpg/>, imagine what may happen if a user enters[img javascript:alert(document.cookies);]. Escaping HTML characters will not save you here, you have to sanitise the given URLs. This is a fairly comprehensive list of possible XSS vulnerability examples.If you always use
htmlspecialchars/hand you always completely sanitise user input that is used as attribute values in any HTML elements, then you have a proper XSS defence.