Will htmlentities avoid all XSS in php?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Hi all,

Question: If I use htmlentities($orginalString,ENT_QUOTES) everywhere I  
output anything to the browser that originated from userinput, will an  
XSS attack be possible?

I think not, but I found a lot of different ways to XSS related on the  
net (like  DNS rebinding: http://en.wikipedia.org/wiki/DNS_rebinding ).
As far as I can see DNS-rebinding is useless as long as the JavaScript  
will not be executed.

Is htmlentities enough?
Should I also use the third parameter for htmlentities (charset)?
What do you do to protect your sites against XSS?

Erwin Moller

Re: Will htmlentities avoid all XSS in php?

On 24 Jan, 11:05, Erwin Moller
Quoted text here. Click to load it

Your just eliminating one vector for the CSS attack. Admittedly its
the one most commonly exploited.

Not sure how you would leverage DNS rebinding as a CSS attack - but it
doesn't stop javascript from executing -
browser requests page from (redirected to bad server) site
js file referenced by page is loaded by browser from (redirected to
bad server) site, comes back with headers to say cache this for a
(DNS changed to point to 'good' server)
Browser is now running the bad server's js file on the good servers

Sure - its difficult (although far from impossible) to steal
somebodies Domain - but ICMP redirection? Competing DHCP?

Your proposal is a good start, but don't assume that it eliminates all
possible CSS attacks.


Site Timeline