Menu
I'm going through my site and doing a security audit. I've simply accepted the fact that I need to sanitize ALL user input, but I've never really stopped and experimented with what's really going on. I'm starting to experiment now.
I have a typical contact form on a PHP page. It's _POSTing data. $_POST["first_name"]; etc.
I do this $firstName = htmlspecialchars($_POST["first_name"]); to sanitize and display a message like the one below.
echo $firstName . ', thank you for your interest. We'll be in touch soon!'
I started to play with this and if I enter something such as <script>alert('hello')</script> in the first name field, htmlspecialchars does it's job and coverts the tags.
When I remove htmlspecialchars the script doesn't get converted and it displays in the source as <script>alert('hello')</script> BUT, it does not execute.
My question is, why doesn't this execute? Isn't this basically what an XSS attack would do? Am I misunderstanding something?
241
When I tried this in Chrome I saw an error in the console:
Refused to execute a JavaScript script. Source code of script found within request.
So it's possible modern browsers do this check to prevent it. You should continue to sanitize your input regardless of course, but check your console and you will probably see this.
109
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
