#1
  1. A Change of Season
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Mar 2004
    Location
    Next Door
    Posts
    2,653
    Rep Power
    171

    If strip_tags removes html tags, how come its not enough to stop xss?


    Hello;

    If strip_tags removes html tags, how come its not enough to stop xss?
  2. #2
  3. Did you steal it?
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    13,997
    Rep Power
    9397
    Citation needed? I think it would prevent XSS (strictly speaking) but it wouldn't prevent people from mucking around with your HTML.
  4. #3
  5. A Change of Season
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Mar 2004
    Location
    Next Door
    Posts
    2,653
    Rep Power
    171
    Originally Posted by requinix
    Citation needed? I think it would prevent XSS (strictly speaking) but it wouldn't prevent people from mucking around with your HTML.
    Please show me example of you messing around with HTML. Thanks
  6. #4
  7. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    Hi,

    mangling user input for security is simply wrong. It's like this online banking website that wouldn't allow users to have the words "SELECT", "DELETE" etc. in their name.

    There's no reason why a user shouldn't be able to input "<" or even complete HTML. Making sure that this never gets executed is your responsibility. And that's what htmlentities() is for.

    This strip_tags() also won't remove attributes and "/>", so when you're inside a tag, you can still interfere with the HTML and inject JavaScript.

    Long story short: Forget this function. Whatever it's good for (which I still haven't found out), it's not suitable for filtering user input.
  8. #5
  9. A Change of Season
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Mar 2004
    Location
    Next Door
    Posts
    2,653
    Rep Power
    171
    Originally Posted by Jacques1
    Hi,

    mangling user input for security is simply wrong. It's like this online banking website that wouldn't allow users to have the words "SELECT", "DELETE" etc. in their name.

    There's no reason why a user shouldn't be able to input "<" or even complete HTML. Making sure that this never gets executed is your responsibility. And that's what htmlentities() is for.

    This strip_tags() also won't remove attributes and "/>", so when you're inside a tag, you can still interfere with the HTML and inject JavaScript.

    Long story short: Forget this function. Whatever it's good for (which I still haven't found out), it's not suitable for filtering user input.
    Ok. How would you filter user's data? Also I really like to see what you say about this.
    Thanks
  10. #6
  11. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    Originally Posted by zxcvbnm
    How would you filter user's data?
    With htmlentities(). But in any case you have to be careful what you put where. If you allow users to e. g. write into an "onclick" attribute, there's no function on earth that will prevent JavaScript injections.
  12. #7
  13. A Change of Season
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Mar 2004
    Location
    Next Door
    Posts
    2,653
    Rep Power
    171
    Originally Posted by Jacques1
    With htmlentities(). But in any case you have to be careful what you put where. If you allow users to e. g. write into an "onclick" attribute, there's no function on earth that will prevent JavaScript injections.
    Oh hello. Do you use htmlentities only when you insert into database or when you retrieve data? And how do you deal with a database that has data entered to in with different styles. For example some with htmlentities and some without.
  14. #8
  15. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    The database must always contain the raw input data without any escaping stuff. "Pre-filtering" the data is a bad idea for several reasons:
    • when you make a mistake, you'll break all user data; and since you don't have the original input, you're likely to spend hours fixing the broken stuff (if it's even possible)
    • like you already said, there may be different ways of escaping, so you can easily end up with a complete mess
    • who says that you'll only use the data in HTML? If some day you need it in a different context (PDF, Excel, whatever), you'll first have to remove the HTML stuff again


    So always store the raw data and do the escaping right before the output. If you already have HTML entities flying around in your database, you'll have to fix it manually (with html_entity_decode).
  16. #9
  17. No Profile Picture
    Lost in code
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 2004
    Posts
    8,317
    Rep Power
    7170
    strip_tags doesn't prevent XSS because XSS attacks involve injecting JavaScript into your page. Usually this JavaScript is injected into an HTML element that already exists, meaning there is no need for HTML to be contained within the string and strip_tags will do nothing.
    PHP FAQ

    Originally Posted by Spad
    Ah USB, the only rectangular connector where you have to make 3 attempts before you get it the right way around
  18. #10
  19. Did you steal it?
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    13,997
    Rep Power
    9397
    Oreo reminded me of how it's possible without using the magic < character that strip_tags() looks for.

    Example 1: strip_tags() will protect you
    PHP Code:
    $name strip_tags("zxcvbnm<script>alert('Hi');</script>");
    echo 
    "<h1>{$name}</h1>"
    Code:
    <h1>zxcvbnmalert('Hi');</h1>
    Example 2: strip_tags() won't protect you
    PHP Code:
    $title strip_tags("If strip_tags removes html tags, how come it's not enough to stop xss?");
    echo 
    "<div class='post' title='{$title}'>{$post}</div>"
    html4strict Code:
    <div class='post' title='If strip_tags removes html tags, how come it's not enough to stop xss?'>...</div>

    (check the highlighting)

    Example 3: no really, it won't protect you
    PHP Code:
    $title strip_tags("' onmousemove='alert(&quot;Hi&quot;);");
    echo 
    "<div class='post' title='{$title}'>{$post}</div>"
    Code:
    <div class='post' title='' onmousemove='alert(&quot;Hi&quot;);'>...</div>
  20. #11
  21. Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Sep 2002
    Location
    Seattle, U.S.A.
    Posts
    712
    Rep Power
    12
    Good article on prventing xss from chris schifflet ...
    http://shiflett.org/blog/2007/mar/al...preventing-xss

IMN logo majestic logo threadwatch logo seochat tools logo