Displaying XSS in the browser

Question

I'm building an application that retrieve any type of user input, even if the user put an xss injection code. Beside that i'm providing an admin view to show the full content of what the user put, either they put html code, bb code, xss, javascript, etc(something like for analysis purpose).

I'm thinking that htmlentities($data, ENT_QUOTES) is enough for that, but after reading https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet it makes me more confused.

I don't want to remove any tag or script, i just want to display it in html with escaping. Is save if i put it on textarea tag ? I mean if the data is containing xss it would not executed if in text are ?

<textarea name="comment" rows="30" cols="100"><?php echo htmlentities($data, ENT_QUOTES); ?></textarea>

or there is any secure way to display xss on the browser but the xss it self not executed.

sorry for my bad english.

Thanks

Answer 1

The code you have posted is prone to XSS if your admin opens specially crafted user input the attacker can gain administrative privileges to that page. Placing user code within textarea or any other tag does not protect from XSS attacks. All the hacker has to do is close textarea tag in his input and do whatever he wants to.

I'm glad that you found owasp cheet sheet :) it's very usefull you should follow it. Remeber to escape all user input that is placed on the page.

I would recomend using htmlspecialchars and then do some tests with: tags presented here. If you won't see an JS alert then your application is to some extent protected from xss attacks.