PHP Development
 
Forums: » Register « |  User CP |  Games |  Calendar |  Members |  FAQs |  Sitemap |  Support | 
User Name:
Password:
Remember me

The Shed is going Social! Join us on FaceBook and Twitter and chime in on the conversation.

Go Back   Dev Shed ForumsProgramming LanguagesPHP Development
Reload this Page

Does htmspecialchars stop css attack?


Reply
Add This Thread To:
  Del.icio.us   Digg   Google   Spurl   Blink   Furl   Simpy   Y! MyWeb 
« Previous Thread | Next Thread »  
Thread Tools Search this Thread Rate Thread Display Modes
 
Unread Dev Shed Forums Sponsor:
  #1  
Old March 6th, 2013, 09:10 PM
zxcvbnm's Avatar
zxcvbnm zxcvbnm is offline
A Change of Season
Click here for more information.
  
Join Date: Mar 2004
Posts: 1,600 zxcvbnm User rank is Second Lieutenant (5000 - 10000 Reputation Level)zxcvbnm User rank is Second Lieutenant (5000 - 10000 Reputation Level)zxcvbnm User rank is Second Lieutenant (5000 - 10000 Reputation Level)zxcvbnm User rank is Second Lieutenant (5000 - 10000 Reputation Level)zxcvbnm User rank is Second Lieutenant (5000 - 10000 Reputation Level)zxcvbnm User rank is Second Lieutenant (5000 - 10000 Reputation Level)zxcvbnm User rank is Second Lieutenant (5000 - 10000 Reputation Level) 
Time spent in forums: 2 Weeks 5 Days 1 h 39 m 55 sec
Reputation Power: 70
Does htmspecialchars stop css attack?
For example is this enough for keeping the data in the text field?
PHP Code:
echo '<input type="text" value="'.htmlspecialchars($_POST['search']).'" />'
Not speaking about sql injeciton here.
Thanks
Reply With Quote
  #2  
Old March 6th, 2013, 09:19 PM
requinix's Avatar
requinix requinix is offline
Still alive
Click here for more information.
  
Join Date: Mar 2007
Location: Washington, USA
Posts: 12,711 requinix User rank is General 120th Grade (Above 100000 Reputation Level)requinix User rank is General 120th Grade (Above 100000 Reputation Level)requinix User rank is General 120th Grade (Above 100000 Reputation Level)requinix User rank is General 120th Grade (Above 100000 Reputation Level)requinix User rank is General 120th Grade (Above 100000 Reputation Level)requinix User rank is General 120th Grade (Above 100000 Reputation Level)requinix User rank is General 120th Grade (Above 100000 Reputation Level)requinix User rank is General 120th Grade (Above 100000 Reputation Level)requinix User rank is General 120th Grade (Above 100000 Reputation Level)requinix User rank is General 120th Grade (Above 100000 Reputation Level)requinix User rank is General 120th Grade (Above 100000 Reputation Level)requinix User rank is General 120th Grade (Above 100000 Reputation Level)requinix User rank is General 120th Grade (Above 100000 Reputation Level)requinix User rank is General 120th Grade (Above 100000 Reputation Level)requinix User rank is General 120th Grade (Above 100000 Reputation Level)requinix User rank is General 120th Grade (Above 100000 Reputation Level)  Folding Points: 417516 Folding Title: Super Ultimate Folder - Level 1Folding Points: 417516 Folding Title: Super Ultimate Folder - Level 1Folding Points: 417516 Folding Title: Super Ultimate Folder - Level 1Folding Points: 417516 Folding Title: Super Ultimate Folder - Level 1Folding Points: 417516 Folding Title: Super Ultimate Folder - Level 1Folding Points: 417516 Folding Title: Super Ultimate Folder - Level 1
Time spent in forums: 5 Months 1 Week 4 Days 6 h 48 m 5 sec
Reputation Power: 8969
Send a message via AIM to requinix Send a message via MSN to requinix Send a message via Yahoo to requinix Send a message via Google Talk to requinix
XSS.

Yes, but it would be good to get in the habit of using the full power of the function.
PHP Code:
 htmlspecialchars($_POST['search'], ENT_QUOTES'UTF-8'
Reply With Quote
  #3  
Old March 6th, 2013, 10:38 PM
zxcvbnm's Avatar
zxcvbnm zxcvbnm is offline
A Change of Season
Click here for more information.
  
Join Date: Mar 2004
Posts: 1,600 zxcvbnm User rank is Second Lieutenant (5000 - 10000 Reputation Level)zxcvbnm User rank is Second Lieutenant (5000 - 10000 Reputation Level)zxcvbnm User rank is Second Lieutenant (5000 - 10000 Reputation Level)zxcvbnm User rank is Second Lieutenant (5000 - 10000 Reputation Level)zxcvbnm User rank is Second Lieutenant (5000 - 10000 Reputation Level)zxcvbnm User rank is Second Lieutenant (5000 - 10000 Reputation Level)zxcvbnm User rank is Second Lieutenant (5000 - 10000 Reputation Level) 
Time spent in forums: 2 Weeks 5 Days 1 h 39 m 55 sec
Reputation Power: 70
Quote:
Originally Posted by requinix
XSS.

Yes, but it would be good to get in the habit of using the full power of the function.
PHP Code:
 htmlspecialchars($_POST['search'], ENT_QUOTES'UTF-8'
Typo. Sorry.

I saw that before, but can't really see the difference.
Reply With Quote
  #4  
Old March 6th, 2013, 10:55 PM
requinix's Avatar
requinix requinix is offline
Still alive
Click here for more information.
  
Join Date: Mar 2007
Location: Washington, USA
Posts: 12,711 requinix User rank is General 120th Grade (Above 100000 Reputation Level)requinix User rank is General 120th Grade (Above 100000 Reputation Level)requinix User rank is General 120th Grade (Above 100000 Reputation Level)requinix User rank is General 120th Grade (Above 100000 Reputation Level)requinix User rank is General 120th Grade (Above 100000 Reputation Level)requinix User rank is General 120th Grade (Above 100000 Reputation Level)requinix User rank is General 120th Grade (Above 100000 Reputation Level)requinix User rank is General 120th Grade (Above 100000 Reputation Level)requinix User rank is General 120th Grade (Above 100000 Reputation Level)requinix User rank is General 120th Grade (Above 100000 Reputation Level)requinix User rank is General 120th Grade (Above 100000 Reputation Level)requinix User rank is General 120th Grade (Above 100000 Reputation Level)requinix User rank is General 120th Grade (Above 100000 Reputation Level)requinix User rank is General 120th Grade (Above 100000 Reputation Level)requinix User rank is General 120th Grade (Above 100000 Reputation Level)requinix User rank is General 120th Grade (Above 100000 Reputation Level)  Folding Points: 417516 Folding Title: Super Ultimate Folder - Level 1Folding Points: 417516 Folding Title: Super Ultimate Folder - Level 1Folding Points: 417516 Folding Title: Super Ultimate Folder - Level 1Folding Points: 417516 Folding Title: Super Ultimate Folder - Level 1Folding Points: 417516 Folding Title: Super Ultimate Folder - Level 1Folding Points: 417516 Folding Title: Super Ultimate Folder - Level 1
Time spent in forums: 5 Months 1 Week 4 Days 6 h 48 m 5 sec
Reputation Power: 8969
Send a message via AIM to requinix Send a message via MSN to requinix Send a message via Yahoo to requinix Send a message via Google Talk to requinix
ENT_QUOTES will make it escape apostrophes too, in case you have HTML like
Code:
<input type='text' value='blah' />

UTF-8 is to help with potential text encoding problems.
Reply With Quote
  #5  
Old March 6th, 2013, 11:06 PM
Jacques1's Avatar
Jacques1 Jacques1 is online now
pollyanna
Click here for more information.
  
Join Date: Jul 2012
Location: Germany
Posts: 1,874 Jacques1 User rank is Lieutenant General (80000 - 90000 Reputation Level)Jacques1 User rank is Lieutenant General (80000 - 90000 Reputation Level)Jacques1 User rank is Lieutenant General (80000 - 90000 Reputation Level)Jacques1 User rank is Lieutenant General (80000 - 90000 Reputation Level)Jacques1 User rank is Lieutenant General (80000 - 90000 Reputation Level)Jacques1 User rank is Lieutenant General (80000 - 90000 Reputation Level)Jacques1 User rank is Lieutenant General (80000 - 90000 Reputation Level)Jacques1 User rank is Lieutenant General (80000 - 90000 Reputation Level)Jacques1 User rank is Lieutenant General (80000 - 90000 Reputation Level)Jacques1 User rank is Lieutenant General (80000 - 90000 Reputation Level)Jacques1 User rank is Lieutenant General (80000 - 90000 Reputation Level)Jacques1 User rank is Lieutenant General (80000 - 90000 Reputation Level)Jacques1 User rank is Lieutenant General (80000 - 90000 Reputation Level)Jacques1 User rank is Lieutenant General (80000 - 90000 Reputation Level)Jacques1 User rank is Lieutenant General (80000 - 90000 Reputation Level) 
Time spent in forums: 1 Month 2 Weeks 2 Days 2 h 47 m 52 sec
Reputation Power: 813
Just so that there's no misunderstanding: Of course you must not specify 'UTF-8' if the page encoding isn't UTF-8. You have to specify the actual encoding as set in the Content-Type header. If you don't explicitly specify the encoding, you rely on the default value, which may or may not be correct. If it isn't, this can render the whole function useless:

http://shiflett.org/blog/2005/dec/g...s-vulnerability

I've actually written down all that in the link in my signature.
Reply With Quote
Reply

Viewing: Dev Shed ForumsProgramming LanguagesPHP Development > Does htmspecialchars stop css attack?

« Previous Thread | Next Thread »

Developer Shed Advertisers and Affiliates



Thread Tools  Search this Thread 
Search this Thread:

Advanced Search
Display Modes  Rate This Thread 
Linear Mode Linear Mode
Rate This Thread:


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
View Your Warnings | New Posts | Latest News | Latest Threads | Shoutbox
Forum Jump

Forums: » Register « |  User CP |  Games |  Calendar |  Members |  FAQs |  Sitemap |  Support | 
  
 


Powered by: vBulletin Version 3.0.5
Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.

© 2003-2013 by Developer Shed. All rights reserved. DS Cluster - Follow our Sitemap