why is this xss not working

Question

I am just trying to exercise on xss and I want the alert box to pop up on echo which should work on echo. I am doing exercises based on concepts and hier I have a wrong usage of htmlspecialchars, which is vulnerable to xss. However this is not really working and I don't get why. here is my code

$name=htmlspecialchars($_GET['myname']);


echo "<HTML><body>";        
echo '<form action="">';
echo "name: <input type='text' name='myname' ><br>";

echo "<input type='submit' ></form>";

echo $name; // here I want the xss to execute a popup box

echo "</HTML></body>";

The input script looks like this.

<script>alert();</script>

I have also tried many alternatives. The script is displayed as I typed it and there is not alert box.

Answer 1

I have a wrong usage of htmlspecialchars, which is vulnerable to xss

Your usage isn't wrong for the rest of the code you have, and it isn't vulnerable to XSS for the code that you have.

Using htmlspecialchars with only one argument uses the default settings which makes <, ", >, and & characters safe.

This is absolutely fine when the content is being output somewhere that you could put a text node.

The main situation where it isn't enough to protect your HTML is when you are:

• Delimiting your attribute values with ' instead of "
• Putting the data inside an attribute value

That's when you need ENT_QUOTES so that ' gets escaped to. Otherwise you could end up with:

$user_input = "' onmouseover='alert(1)'";
?>
<body data-userinput='<?php echo $user_input; ?>'>

… so new attributes which trigger JS could be added.

(Note you also need different sanitisation techniques if you are inserting data into JS or URLs).

Answer 2

I am doing exercises based on concepts and hier I have a wrong usage of htmlspecialchars, which is vulnerable to xss.

You don't, though. You've used htmlspecialchars exactly as it's supposed to be used, and are thus protected against XSS here.