1

for XSS protection in PHP I am using

htmlspecialchars($text,ENT_QUOTES,"UTF-8");

I read about how grave accents can be used as quotes. I am wondering is htmlspecialchars enough or should I also run a string replace for grave accents?

SilverlightFox
  • 32,436
  • 11
  • 76
  • 145
Darrin Woolit
  • 69
  • 1
  • 7

1 Answers1

1

Grave accents have no special meaning within HTML so are not an XSS attack vector there (unless you embed them in a context where they do have special meaning, but I can't think of any such contexts supported by HTML).

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
  • 1
    o_o https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Grave_accent_obfuscation – Scott Arciszewski Aug 06 '15 at 14:01
  • @ScottArciszewski — Interesting. I wonder what browsers are vulnerable to that attack. Chrome, for instance, parses it correctly (and puts the backticks inside the attribute value) and refuses to execute JS in an image `src` anyway. – Quentin Aug 06 '15 at 14:05
  • 1
    According to HTML5 spec, the only mention of grave quotes is that they are not allowed in an unquoted attribute: https://html.spec.whatwg.org/multipage/syntax.html#attribute-value-(unquoted)-state – ircmaxell Aug 06 '15 at 17:30
  • @ircmaxell, quentin - it's our old friend Internet Explorer that allows [attribute values to be quoted via backticks](https://html5sec.org/#102). – SilverlightFox Aug 07 '15 at 08:25
  • Ah, IE, the cause of and solution to... Wait, no. Just the cause of all of life's problems. – ircmaxell Aug 07 '15 at 21:06