Is Addslashes() Safe To Prevent XSS In A HTML Attribute?
I'm having to work on an old web app that a previous developer left. It is using addslashes() to prevent XSS on a HTTML attribute. Here is an example:
Solution 1:
Is addslashes() safe to prevent XSS in a HTML attribute?
It is highly ineffective.
Is this vulnerable to XSS?
Yes.
Is there any way javascript can run in a value attribute like it can in an src attribute for example, src='javascript:alert(99)'.
No
Or can the value attribute be broken out of and then script tags can be inserted?
The data just has to include a " and the attribute is broken out of.
Use htmlspecialchars when you want to insert an arbitrary string into an attribute value.
Solution 2:
addslashes() is not appropriate for this task. Use htmlspecialchars() or htmlentities() instead, eg
<input type="hidden"
value="<?php echo htmlspecialchars($_POST['id'], ENT_QUOTES, 'UTF-8') ?>">
Post a Comment for "Is Addslashes() Safe To Prevent XSS In A HTML Attribute?"