Reputation: 763
why not using strip_tags() to prevent xss attack instead of htmlspecialchars()?
If I need to display $_GET values in templates, why not using strip_tags() to prevent xss attack instead of htmlspecialchars()?
Upvotes: 0
Views: 1427
Answers (2)
Reputation: 11
htmlspecialchars() can escape all special characters which was able to add in example, a <script>alert('You've been hacked');</script>
The main part of a website secured is:
htmlspecialchars() - To prevent XSS
MySQLI prepared statement - To prevent SQL injection
There alot of other attack, but these two is a must for every website in the world, otherwise, i will be able to hack your website in 1 minute (no lie).
Upvotes: 1
Reputation: 239
Because strip_tags doesn't fix every possible abuse case. True, it fixes the worst offenders, but there are other cases, e.g. when inserting values back into <input> tags yourself, where the quotes can be broken out of.
Consider:
<input type="text" value="my string" />
If my string comes from some other data source that isn't XSS-protected, it could conceivable contain something like:
"><script ....
which can use the original closing > of the input tag - and strip_tags may or may not catch that case. I seem to remember it looks for < followed by > which wouldn't be found in the above string.
Upvotes: 2
Related Questions
- Should I use both striptags() and htmlspecialchars() to prevent XSS?
- Where to use strip_tags() and htmlspecialchars()
- XSS attack still works despite htmlspecialchars() doing its work
- When used correctly, is htmlspecialchars sufficient for protection against all XSS?
- Using htmlspecialchars and strip_tags for more security
- Combining htmlspecialchars and strip_tags
- Is using htmlspecialchars() sufficient in all situations?
- PHP Security - Combining functionality of strip_tags(); & htmlspecialchars();
- How to prevent XSS in attributes
- avoiding XSS vulnerability by putting HTMLSPECIALCHARS() function