{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 做自己的国王 的问题《Is htmlspecialchars() required on ALL output?》','https://www.manongdao.com/q-446590.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I am writing some scripts for Expression Engine and have been told that every single piece of data which we output to the page, requires 'sanitizing', to prevent XSS.
For example here, I am fetching all Categories from the database, sorting into an array and returning to Expression Engine.
PHP Function
public function categories()
{
$query = $this->crm_db->select('name, url_name')
->order_by("name", "asc")
->get_where('activities_categories', array('active'=>1));
foreach($query->result() as $row)
{
$activityCategories[0]['cats'][] = array(
'categoryName' => $row->name,
'categoryURL' => $row->url_name,
);
}
return $this->EE->TMPL->parse_variables($this->EE->TMPL->tagdata, $activityCategories);
}
Template Code
{exp:activities:categories}
{cats}
<a href="/{categoryURL}">{categoryName}</a>
{/cats}
{/exp:activities:categories}
I am being told, that I need to use htmlspecialchars() function on every single piece of data which is being outputted.
Is this necessary?
Is this correct?
Example:
foreach($query->result() as $row)
{
$activityCategories[0]['cats'][] = array(
'categoryName' => htmlspecialchars($row->name),
'categoryURL' => htmlspecialchars($row->url_name),
);
}
Many thanks! :)
htmlspecialchars()required on ALL HTML output unless told otherwise.Other output media (such as
JS,JSONetc.) require their own escaping.Whether
htmlspecialcharssuffices or not depends on the context the data is put into. Because it only escapes certain characters using character references which are only a mitigation in certain contexts:If it’s HTML text (outside of HTML tags), it suffices:
If it’s inside a quoted HTML attribute value, it suffices (see also flags parameter for single quoted attributes):
However, there are certain attributes which still can be used for XSS, e.g., attributes for URIs.
Any other context may require the escaping of other characters. For example, an unquoted attribute value would require any whitespace character also being escaped as it otherwise would end the attribute value.
Also note that a context may require different types of encodings. For example, if you want to print a JavaScript value embedded into
<script>, you have to obey both JavaScript and HTML syntax rules.Well, if you don't want XSS problems, then using
htmlspecialchars()is a good idea. If you didn't, someone could store a malicious<iframe>, or<script>in your code.Now, you don't necessarily need to protect the output. If you sanitize the data coming in, you can store the sanitized data instead. Doing it this way allows you to purposefully store non-sanitized data for maybe styling purposes which would be ready for output.
As far as your example is concerned, it is correct. That is one way you can do it.
EDIT: You only need to apply
htmlspecialchars()to strings.