PHP Security and XSS attacks - Getting Error Refused to execute a JavaScript script. Source code of script found within request

Question

I'm going through my site and doing a security audit. I've simply accepted the fact that I need to sanitize ALL user input, but I've never really stopped and experimented with what's really going on. I'm starting to experiment now.

I have a typical contact form on a PHP page. It's _POSTing data. $_POST["first_name"]; etc.

I do this $firstName = htmlspecialchars($_POST["first_name"]); to sanitize and display a message like the one below.

echo $firstName . ', thank you for your interest. We'll be in touch soon!'

I started to play with this and if I enter something such as <script>alert('hello')</script> in the first name field, htmlspecialchars does it's job and coverts the tags.

When I remove htmlspecialchars the script doesn't get converted and it displays in the source as <script>alert('hello')</script> BUT, it does not execute.

My question is, why doesn't this execute? Isn't this basically what an XSS attack would do? Am I misunderstanding something?

Answer 1

When I tried this in Chrome I saw an error in the console:

Refused to execute a JavaScript script. Source code of script found within request.

So it's possible modern browsers do this check to prevent it. You should continue to sanitize your input regardless of course, but check your console and you will probably see this.