Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Is this 100% safe against XSS?
If not, can you please provide example bad string text showing me why it is not.
<html>
<body>
<script>
<?php
$bad = "some bad string. please give example text that makes the below unsafe";
echo "var a = ".json_encode($bad).";";
echo "var b = ".json_encode(array($bad)).";";
?>
</script>
</body>
</html>
Thanks.
In short, it’s safe. Possible XSS would require escaping from the javascript string (
") or script (</script>). Both strings are properly escaped:This is the the part about direct injection. Your application should take in account that some array elements may be missing. Another possibility is that an array element is not the type you would expect (e.g., an array instead of a string)