Jump to content

XSS attack

orange08

By orange08
in PHP Coding Help

 Share

Recommended Posts

orange08 Regular Member

orange08

Posted
Posted

from the tutorial, i learnt that by using htmlentities(), can prevent XSS attack. and to allow user to format their post, can allow them to use bbcodes...

 

then, i read about this

 

You might get some additional XSS security holes with some tags.

 

A common bbcode tag is the URL tag. We could imagine that someone entered

 

The best PHP website

 

which would be converted to:

 

<a href="http://www.phpfreaks.com">The best PHP website</a>

 

. At first glance there is no issue with allowing that. However, URLs like javascript:alert('Hi') are also allowed and they will, obviously, execute the entered Javascript. Similarly, in some lower versions of Internet Explorer (IE6 and below) that URL format is allowed and will execute Javascript so we have to take care of that as well.

 

i can't understand what it meant. can experts here explain a bit?

 

and i did allow user to enter their web link in my form, is that using htmlentities() with the URL input is enough to prevent the XSS attack? or the above statement trying to say that htmlentities() can't prevent XSS attack on user input that contains URL?

 

thanks!

Link to comment
https://forums.phpfreaks.com/topic/162410-xss-attack/
Share on other sites
premiso Regular Member

premiso

Posted
Posted

It is saying, if you use the bbcode url tag, you are potentially vunerable to xss exploits in the manner shown.

 

To prevent this, when you convert the url bbcode to it's html, you run a check to see if it executes any javascript. If it does, simply remove the javascript call or html entities that url after it has been converted from bbcode.

 

You should be able to check using regular expressions, preg_match to see if there are any offending items. And or use preg_replace to replace them.

 

So if there is a url=javascript  you replace that with url=

 

Hope that helps.

Link to comment
https://forums.phpfreaks.com/topic/162410-xss-attack/#findComment-857216
Share on other sites
orange08 Regular Member

orange08

Posted
  • Author
Posted

It is saying, if you use the bbcode url tag, you are potentially vunerable to xss exploits in the manner shown.

 

To prevent this, when you convert the url bbcode to it's html, you run a check to see if it executes any javascript. If it does, simply remove the javascript call or html entities that url after it has been converted from bbcode.

 

You should be able to check using regular expressions, preg_match to see if there are any offending items. And or use preg_replace to replace them.

 

So if there is a url=javascript  you replace that with url=

 

Hope that helps.

 

thanks for the explanation.

 

my case is not allow user to use html and bbcode to format their input. but, allow user to key in URL as their input. so, i just wonder in this case, by only using htmlentities() is enough? or still need to do what you have suggested?

 

thanks for the reply!

Link to comment
https://forums.phpfreaks.com/topic/162410-xss-attack/#findComment-857222
Share on other sites
premiso Regular Member

premiso

Posted
Posted

that's meant by using htmlentities(), can escape those attack code like javascript in URL?

 

All that htmlentities does is convert characters that are interpreted by the HTML engine to their html entity code. So < gets converted to < and > gets converted to > so that it is not "interpreted" by the HTML engine as actual markup, but as straight text.

 

If you are not using BBCode and just allow people to enter the URL like http://www.joy.com which gets converted, than you are fine. As javascript: should not be interpreted/activated by that.

 

So if the user enters this:

<a href="javascript:">test</a> 
Gets converted to:
<a href="javscript:">test</a>

 

Which will not get "processed" to where a user could click on a link to activate the script. If I am missing something there let me know.

 

In the above mentioned "BBCode" post, without coding to thwart it this might be problematic:

[url=javascript:]url[/url]

When the BBCode gets parsed turns into
<a href="javascript:">url</a>

 

Which could be an exploit if clicked on, and chances are your BBCode is processed after the htmlentites called, as that is sort of the point to having BBCode, to allow users to "safely" enter links images etc, without opening up the realm of what they can do with html fully.

 

To answer you question, if you are not using BBCode, the htmlentities will protect you. If you are, you need to look into determining if Javascript was put into the url tag before parsing the BBCode and removing/replacing that entry if it was.

 

 

Link to comment
https://forums.phpfreaks.com/topic/162410-xss-attack/#findComment-857247
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.