0

In my database I have data for example a code such as this: <script type="text/javascript">alert('Xss done');</script>

I get the data from database and I need to populate them in input field. My user then can edit the code. I confuse whether I need to escape the javascript code in my input field because I understand you only need to escape it if you display it with <label>, or <p> element etc etc.

But right now I'm getting alert box with that code. Should I escape it?? If yes then how can I properly escape it because I use this code htmlspecialchars($user_input, ENT_QUOTES) and the javascript code in the input field successfully turn into this &lt;script type=&quot;text/javascript&quot;&gt;alert(&#039;Xss done&#039;);&lt;/script&gt; but I'm still getting the alert box??

Please help me and thank you.

sg552
  • 1,459
  • 4
  • 29
  • 55
  • 1
    *"and the javascript code in the input field successfully turn into this `<script type="text/javascript">alert('Xss done');</script>` but I'm still getting the alert box"* You must have made a mistake when testing that, you will not get the alert if you put that text in the `value` attribute of an `input`: http://jsfiddle.net/oh6o5v75/ That is the correct way to do it. – T.J. Crowder Aug 23 '15 at 11:37

2 Answers2

1

Your right about using htmlspecialchars(). Here is an example which works:

<input type="text" value="<?php
    echo htmlspecialchars('<script type="text/javascript">alert("Xss done");/script>')
?>"/>

which produces

<input type="text" value="&lt;script type=&quot;text/javascript&quot;&gt;alert(&quot;Xss done&quot;);&lt;/script&gt;"/>

This will display an <input> field with the text as is (including <scripts> tags) and not trigger any alerts. The default flags ENT_COMPAT | ENT_HTML401 for htmlspecialchars() should be ok.

Mifeet
  • 12,006
  • 4
  • 55
  • 100
1

Do I need to escaping html output in input field?

Yes, every input must be escaped. Especially if it comes from the user. You should never ever trust user's input.

htmlspecialchars has some sort of a bug where you can't directly include strings in it's second and third parameter. Therefore a workaround is needed. As of PHP 5.4+ the default charset is UTF-8 before that it was ISO-8859-1

ENT_IGNORE Will just drop all invalid code. This is bad for two reasons: First, you won’t notice invalid encoding, because it will be simply dropped. Second, this imposes a certain security risk

ENT_SUBSTITUTE Is a new alternative option which has more sensible approach at the problem: Instead of just dropping the code units they will be replaced by a Unicode character (U+FFFD). So invalid code unit sequences will be replaced by � characters.

/**
 * htmlspecialchars fix|hack. Well done PHP, well done...
 */
define('CHARSET', 'UTF-8');
define('REPLACE_FLAGS', ENT_QUOTES | ENT_SUBSTITUTE);

function filter($string = null)
{
    return htmlspecialchars($string, REPLACE_FLAGS, CHARSET);
}

For more information how to prevent XSS, SQL injection see these links: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet How can I prevent SQL injection in PHP?

Community
  • 1
  • 1
Stanimir Dimitrov
  • 1,879
  • 2
  • 17
  • 24