Is there an XSS risk putting unsanitized user input in a text input?

Question

I understand it is useful to sanitize user input when you display it on your site, using a function like htmlentities() in php. But would something like this present an XSS risk?

<input type="text" value="<?=user input drawn from the database?>" />

Would it be better to sanitize the input like this?

<input type="text" value="<?=htmlentities(user input drawn from the database)?>" />

I should specify that I'm only talking about the security risk of input value attributes, I know I still have to sanitize user input if I want to display it elsewhere on the site.

Answer 1

I could enter text like this,

escape!" /><script>alert("I escaped, because you didn't escape!");</script><img src="

which would give you the following output: (Formatted for readability)

<input type="text" value="escape!" />
<script>
    alert("I escaped, because you didn't escape!");
</script>
<img src="" />

You are just concatenating strings, not manipulating the DOM, so you still need to watch out for quotes.

Answer 2

possibly yes, consider the user input from database may have double quotation mark.

you should use htmlentities($str, ENT_QUOTES); to convert quotation marks.

http://php.net/manual/en/function.htmlentities.php

Answer 3

But would something like this present an XSS risk?

Yes, something like that would present an XSS risk as long as the data hasn't been already sanitized before inserting it in the database.

Would it be better to sanitize the input like this?

Yes, it is trivial to sanitize every user input before displaying it on a webpage. Also take a look at htmlspecialchars()