I was asking myself about the security of using the php function htmlentities() against XSS attacks, and maybe of related functions such as htmlspecialchars.
thanks a lot :)
+2
A:
You will need to explicitly specify proper encoding (e.g: utf-8), Chris had a post on how to inject code even calling htmlentities without appropriate encoding.
Jay Zeng
2009-12-11 22:56:07
Thanks a lot that is exactly the kind of proof i was looking for :) i have to study encoding issues. Do you know some good documentation about that?
fatmatto
2009-12-11 23:07:14
I encourage you to read a real world example of Gmail contact xss, and reading the exploit, which is downloadable in the below post, will hopefully give you some ideas of how to write secure code:http://uneasysilence.com/archive/2007/01/9025/And here is a cheat sheet you may find useful:http://openmya.hacker.jp/hasegawa/security/utf7cs.html
Jay Zeng
2009-12-11 23:15:04
Thank you very very much :D
fatmatto
2009-12-11 23:17:04
Glad it helps :)
Jay Zeng
2009-12-11 23:42:51
+1
A:
It is not bullet-proof, it never saves you 100%. You must remember that when it comes to security, the developer is responsible for it. Languages do provide good deal of security functions and more so it is up to developer how they secure their site whether they use whitelist approach or blacklist approach. If htmlentities was all, frameworks like codeigniter, kohana and more would not have come up with their own great security functions.
The most important thing is to sanitalize and filter any input coming from the user.
Sarfraz
2009-12-12 05:53:08