5

I have staff.php page which contains staff's name,position and detail.When user would need to edit staff info,they would be send to edit.php page.edit.php page show name and title on text field and detail on a textarea

My question is,do I even need htmlspecialchars in edit.php page.I am not printing anything to users page,only on that fields.But I'm using htmlspecialchars on staff.php before printing to user.

Is it still open to XSS Attack?

Code

part from staff.php

$staff.="<div id='sob'>".htmlspecialchars($title)."<br>".htmlspecialchars($sub_title)."<div><a href='edit.php?pid=".htmlspecialchars($pro_id)."'><input type='submit' id='editx' name='editx' value='Edit'></a></div><div id=''><br>".htmlspecialchars($detail)."</div><hr id='h'></div>";

part from edit.php

if(isset($_GET["pid"])){
  $name4=$title;            //
  $sub_title4=$sub_title;   //using prepared statement  
  $detail4=$detail;         //
  }

  HTML part at edit.php

 <input type='text' id='staff_name' name='staff_name' value="<?php echo $name4;?>" required>
 </br><input type='text' id='staff_pos' name='staff_pos' value="<?php echo $sub_title4;?>" required>
 </br><textarea id='staff_detail' name='staff_detail' cols='30' rows='6'  required><?php echo $detail4;?></textarea></br>
Coder
  • 237
  • 4
  • 21
  • 2
    Yes, because if the value of `$detail4` was `` it would be vulnerable. – Michael Berkowski Mar 18 '15 at 00:28
  • 1
    For the `` tags with variables in `value=` you also need to use it with the `ENT_QUOTES` option, to prevent a quote inside the variable from closing the `value=` attribute and breaking your HTML. `value=""` – Michael Berkowski Mar 18 '15 at 00:33
  • Okay,that make sense.As I found from most blog,I though `XSS` might only occur when print to screen. – Coder Mar 18 '15 at 00:34
  • Placing variables inside form values _is_ printing them to the screen, even though they are not directly output. A better way to put it is _any time you are using PHP values from user input to generate HTML markup_ – Michael Berkowski Mar 18 '15 at 00:35
  • but I want to allow `single quote`.Is it ok,if I use the default one `ENT_COMPAT` – Coder Mar 18 '15 at 00:35
  • ENT_COMPAT is fine if you consistently use double quotes for the attributes. – Michael Berkowski Mar 18 '15 at 00:36
  • _“but I want to allow single quote”_ – using `htmlspecialchars` is not about allowing (or in turn, “forbidding”) something – it is about making what _is_ allowed safe for being output as HTML. – CBroe Mar 18 '15 at 00:37
  • Thanks a lot,man.Hats off.If you want to add this as an answer,I would be more than happy to accept it.Because I've learnt something new – Coder Mar 18 '15 at 00:39

1 Answers1

9

Protection against XSS isn't just necessary when variables are to be displayed on the screen; it is needed whenever user-generated values are used to build HTML markup, whatever the context.

It is necessary to call htmlspecialchars() on a PHP variable placed inside a <textarea>. Consider the following:

<?php
    // Unsafe text in the variable
    $detail4 = '</textarea><script>alert("XSS!");</script>';
?>

<textarea><?php echo $detail4; ?></textarea>

This results in a closed </textarea> followed by an unsafe injected script (and another closing </textarea> the browser will probably ignore).

It is also necessary to call htmlspecialchars() on the variables placed into value="" attributes, choosing the appropriate constant to ensure internal quotes in the variables are correctly encoded to prevent the attribute being prematurely ended with a quote. If you consistently use double quotes on the attributes, you can accept the default of ENT_COMPAT, but if you sometimes quote attributes with single quotes, use ENT_QUOTE.

<input type='text' name='staff_pos' value="<?php echo htmlspecialchars($sub_title4, ENT_QUOTES);?>" ...>
Adrian Cid Almaguer
  • 7,815
  • 13
  • 41
  • 63
Michael Berkowski
  • 267,341
  • 46
  • 444
  • 390