3

I'm going through my site and doing a security audit. I've simply accepted the fact that I need to sanitize ALL user input, but I've never really stopped and experimented with what's really going on. I'm starting to experiment now.

I have a typical contact form on a PHP page. It's _POSTing data. $_POST["first_name"]; etc.

I do this $firstName = htmlspecialchars($_POST["first_name"]); to sanitize and display a message like the one below.

echo $firstName . ', thank you for your interest. We'll be in touch soon!'

I started to play with this and if I enter something such as <script>alert('hello')</script> in the first name field, htmlspecialchars does it's job and coverts the tags.

When I remove htmlspecialchars the script doesn't get converted and it displays in the source as <script>alert('hello')</script> BUT, it does not execute.

My question is, why doesn't this execute? Isn't this basically what an XSS attack would do? Am I misunderstanding something?

Improve this question
3
  • Did you check the javascrpt console for errors? Commented Aug 1, 2012 at 22:49
  • @symcbean - I just checked. Yes, there is an error. "Refused to execute a JavaScript script. Source code of script found within request." Commented Aug 1, 2012 at 22:52
  • use htmlspecialchars($_POST["first_name"], ENT_QUOTES); instead Commented Aug 1, 2012 at 22:53

1 Answer 1

Reset to default
5

When I tried this in Chrome I saw an error in the console:

Refused to execute a JavaScript script. Source code of script found within request.

So it's possible modern browsers do this check to prevent it. You should continue to sanitize your input regardless of course, but check your console and you will probably see this.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

I just checked and saw the same error. So, in theory, this is how an XSS attack would take place, correct?
@Paul try it in Internet Explorer (an older version) which may not have such a sophisticated check. Other than that, read up on how XSS attacks are made. They can be made in so many ways .. the only limit is your imagination.
Since Chrome 11, it includes an XSS filter. Many other browsers don't, and XSS filters can't catch anything (persistent XSS in particular).

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.