Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
- Will htmlentities avoid all XSS in php?
- Erwin Moller
January 24, 2008, 11:05 am
rate this thread
Question: If I use htmlentities($orginalString,ENT_QUOTES) everywhere I
output anything to the browser that originated from userinput, will an
XSS attack be possible?
I think not, but I found a lot of different ways to XSS related on the
net (like DNS rebinding: http://en.wikipedia.org/wiki/DNS_rebinding ).
will not be executed.
Is htmlentities enough?
Should I also use the third parameter for htmlentities (charset)?
What do you do to protect your sites against XSS?
- C. (http://symcbean.blogspot.com/)
January 24, 2008, 1:34 pm
Re: Will htmlentities avoid all XSS in php?
Your just eliminating one vector for the CSS attack. Admittedly its
the one most commonly exploited.
Not sure how you would leverage DNS rebinding as a CSS attack - but it
browser requests page from (redirected to bad server) site
js file referenced by page is loaded by browser from (redirected to
bad server) site, comes back with headers to say cache this for a
(DNS changed to point to 'good' server)
Browser is now running the bad server's js file on the good servers
Sure - its difficult (although far from impossible) to steal
somebodies Domain - but ICMP redirection? Competing DHCP?
Your proposal is a good start, but don't assume that it eliminates all
possible CSS attacks.