I'm having to work on an old web app that a previous developer left. It is using addslashes() to prevent XSS on a HTTML attribute.
Here is an example:
<?php
// all $_POST vars are put through addslashes()
echo "<input type='hidden' value='" . $_POST['id'] . "' />";
?>
Is this vulnerable to XSS? Is there any way javascript can run in a value attribute like it can in an src attribute for example, src='javascript:alert(99)'. Or can the value attribute be broken out of and then script tags can be inserted?
Edit: Thanks to Quentin, I believe it is vulnerable.
I'm having to work on an old web app that a previous developer left. It is using addslashes() to prevent XSS on a HTTML attribute.
Here is an example:
<?php
// all $_POST vars are put through addslashes()
echo "<input type='hidden' value='" . $_POST['id'] . "' />";
?>
Is this vulnerable to XSS? Is there any way javascript can run in a value attribute like it can in an src attribute for example, src='javascript:alert(99)'. Or can the value attribute be broken out of and then script tags can be inserted?
Edit: Thanks to Quentin, I believe it is vulnerable.
Share Improve this question edited Dec 2, 2011 at 9:16 MrCode asked Dec 2, 2011 at 8:45 MrCodeMrCode 64.5k10 gold badges92 silver badges113 bronze badges2 Answers
Reset to default 9Is addslashes() safe to prevent XSS in a HTML attribute?
It is highly ineffective.
Is this vulnerable to XSS?
Yes.
Is there any way javascript can run in a value attribute like it can in an src attribute for example, src='javascript:alert(99)'.
No
Or can the value attribute be broken out of and then script tags can be inserted?
The data just has to include a " and the attribute is broken out of.
Use htmlspecialchars when you want to insert an arbitrary string into an attribute value.
addslashes() is not appropriate for this task. Use htmlspecialchars() or htmlentities() instead, eg
<input type="hidden"
value="<?php echo htmlspecialchars($_POST['id'], ENT_QUOTES, 'UTF-8') ?>">