Is it necessary to filter/escape unsafe variables in <title> or other tags in <head> to prevent XSS?
views:
524answers:
5
+10
A:
Strictly speaking it is necessary to do htmlspecialchars() on absolutely everything you output to a web page from PHP.
If you come to a point where this produces a wrong result (i.e. HTML code is showing up in the browser because of double encoding) you have found a design flaw in your application.
XSS would not be a problem if people would stick to this simple rule.
Tomalak
2009-03-12 10:47:54
+3
A:
Yes. You should always use the htmlspecialchars function on values that may contain HTML special characters.
Gumbo
2009-03-12 10:48:43
+4
A:
As others have said, yes. For example, someone might enter this for a title:
</title><script>doEvilStuff()</script>
Which would probably do evil stuff.
EDIT: You might want to do this instead:
htmlspecialchars(strip_tags($title))
Because most (all? some?) browsers won't interpret tags in the title correctly - that is, they'll actually show up in the title rather than doing what you'd expect.
Jesse Rusak
2009-03-12 10:52:36
No need to strip_tags, when you html-escape it afterwards.
troelskn
2009-03-12 11:05:42
For security, you're right, but I know that some browsers (all browsers?) treat tags literally in titles. So, if you use a <b> tag, it will show up literally rather than bolding the text.
Jesse Rusak
2009-03-12 11:26:43
That's why I asked the question. So far I've seen every browser treat tags literally in <title>
Imran
2009-03-12 21:35:47
Right - you still need to escape them, though, because a </title> could appear and then nastiness afterwards.
Jesse Rusak
2009-03-12 22:43:11
Of course. If you run it through htmlspecialchars, it would be treated literally, because <b> then becomes <b> ... That's not special to the <title> tag.
troelskn
2009-03-13 10:44:57