Reputation: 405
Is htmlspecalchars in html value attributes enough to prevent xss?
Is htmlspecialchars() a foolproof way of preventing any risk of an XSS attack on HTML element attributes?
For example, in this input element will the use of htmlspecialchars() also encoding quotes ensure total safety?
Logically it would seem so as it would stop any string from breaking out of the context of the value attribute; or is there more that could be done?
<input type="text" value="<?php echo htmlspecialchars($dangerousString, ENT_QUOTES, 'UTF-8'); ?>"
Upvotes: 0
Views: 323
Answers (1)
Reputation: 214949
Assuming you're using a modern version of php, htmlspecialchars should do the trick.
It's important to note that you also must provide the same encoding (utf8) for the whole page via headers and meta tags. Otherwise, you're subject to UTF-7 injection.
Also do note, that htmlspecialchars is fine only for attributes like value, that don't interpret javascript. It's not enough for src and friends.
Upvotes: 1
Related Questions
- When used correctly, is htmlspecialchars sufficient for protection against all XSS?
- XSS attack to bypass htmlspecialchars() function in value attribute
- htmlspecialchars vs htmlentities when concerned with XSS
- Do I need to use htmlentities() in html tag attributes to prevent XSS attacks
- Is it redundant to use htmlspecialchars for input then use htmlentities on output?
- htmlspecialchars - different escaping for attributes compared to everything else?
- Is htmlspecialchars required if you are not outputting html?
- Is addslashes() safe to prevent XSS in a HTML attribute?
- How to prevent XSS in attributes
- Is php htmlspecialchars safety for JS?