Consider this example:
[php]<?php
function escape ($unescaped) {
return htmlentities($unescaped, ENT_QUOTES, ‘UTF-8’);
}
$data = !empty($_GET[‘data’]) ? $_GET[‘data’] : null;
?>
<?= escape($data) ?>[/php]
[php]// http://test.local/?data=xss
// Output:
xss<script>alert(document.cookie);</script>[/php]
Seems pretty safe, right? But would you trust htmlentities with all of your output escaping?
You shouldn’t.
What if somewhere on the page, you do this:
[php]<?php
function escape ($unescaped) {
return htmlentities($unescaped, ENT_QUOTES, ‘UTF-8’);
}
$data = !empty($_GET[‘data’]) ? $_GET[‘data’] : null;
?>
Is it still safe?
First one with a XSS vector that rick rolls* me, and issues a fix** gets a cookie (karma point).
- embed or automatically redirect to http://www.youtube.com/watch?v=dQw4w9WgXcQ
** for both strings and numbers, might be two different methods.