Is Addslashes() Safe To Prevent Xss In A Html Attribute?
I'm having to work on an old web app that a previous developer left. It is using addslashes() to prevent XSS on a HTTML attribute. Here is an example:
Solution 1:
Is addslashes() safe to prevent XSS in a HTML attribute?
It is highly ineffective.
Is this vulnerable to XSS?
Yes.
Is there any way javascript can run in a value attribute like it can in an src attribute for example, src='javascript:alert(99)'.
No
Or can the value attribute be broken out of and then script tags can be inserted?
The data just has to include a " and the attribute is broken out of.
Use htmlspecialchars when you want to insert an arbitrary string into an attribute value.
Solution 2:
addslashes() is not appropriate for this task. Use htmlspecialchars() or htmlentities() instead, eg
<inputtype="hidden"value="<?phpecho htmlspecialchars($_POST['id'], ENT_QUOTES, 'UTF-8') ?>">
Post a Comment for "Is Addslashes() Safe To Prevent Xss In A Html Attribute?"