CODEWITHSUNDEEP
phpajax
BernardA
BernardA

Reputation: 1523

htmlentities, htmlspecialchars and ajax issue

Trying to use htmlentities/htmlspecialchars with ajax call and it does not convert to html tag when remote output is rendered back onto the originating script.

I've searched all over for a solution but could not find one, so here I am.

All works well without applying htmlentities, but I got this scanned for XSS and came up as potential issue.

Here is the relevant portion of the code in the remote php file:

<select class = "hook1" id = "<?php echo $version ; ?>" name="vdiesel" >
<option>Version essence</option>
<?php
while ($r= $stmt->fetch(PDO::FETCH_ASSOC)) { 
$out="<option   value='".$r['version_id'].'|'.$r['vid_diesel']."'>".$r['version']."</option>";
//echo $out;
echo htmlentities($out, ENT_QUOTES, 'UTF-8');
}
echo "</select>";

And the relevant?? portion of the ajax call:

    $.ajax({
    type: "POST",
    dataType:"html",       
    url: url, 
    beforeSend: function () {
  $("#"+ selbot).html("<option>Loading ...</option>");
    },
    data: {passval:pass_id, pass2:selbot},
   success: function(data){
     $("#"+ selbot).html(data);
   }
   });

This is an example of the response from Firebug console:

<select class = "hook1" id = "version9" name="vdiesel" >
<option>Version essence</option>
&lt;option value=&#039;685|686&#039;&gt;Pop Star Essence&lt;/option&gt;
</select>
</body>
</html>

The above gets printed onto the html correctly, except for the line sanitized with htmlentities, which gets printed out as below, apparently correct but without recognizing the html tag:

<option value='685/686'>Pop Star Essence</option>

I am certainly missing some basic stuff, hope you will let me know. Thanks

Upvotes: 1

Views: 1194

Answers (2)

Barmar
Barmar

Reputation: 780889

You're using htmlentities() in the wrong place. It should be used only on the part of the data that should be shown literally, not the HTML container.

while ($r= $stmt->fetch(PDO::FETCH_ASSOC)) { 
    $out="<option   value='" . htmlentities($r['version_id'], ENT_QUOTES, 'UTF-8') . '|' . htmlentities($r['vid_diesel'], ENT_QUOTES, 'UTF-8') . "'>". htmlentities($r['version'], ENT_QUOTES, 'UTF-8') . "</option>";
    echo $out;
}

Upvotes: 1

jeroen
jeroen

Reputation: 91734

You are encoding too much.

You should just encode the values you get from the database so that they cannot break the html (and do not pose an XSS risk...):

$out="<option value='".htmlentities($r['version_id'], ENT_QUOTES, 'UTF-8')
       .'|'.htmlentities($r['vid_diesel'], ENT_QUOTES, 'UTF-8')."'>"
       .htmlentities($r['version'], ENT_QUOTES, 'UTF-8')."</option>";

Upvotes: 2

Related Questions