php - Preventing JavaScript Injection - Stack Overflow

admin管理员组

文章数量:1024629

Say i have a form with which user inputs some information and is submited to server using php and in PHP code i have say

$data = $_POST['data'];
// or
$data = strip_tags(@$_POST['data']);

1. I want to know of the strip_tags() is enough to stop javascript injection through html forms. If not how else can this be prevented. I have read here.

2. And also say i input javascript:void(document.bgColor="blue") in the browser address bar, this changes the whole site background color to blue. How can javascript injection through the address bar be prevented.

Thanks.

Say i have a form with which user inputs some information and is submited to server using php and in PHP code i have say

$data = $_POST['data'];
// or
$data = strip_tags(@$_POST['data']);

1. I want to know of the strip_tags() is enough to stop javascript injection through html forms. If not how else can this be prevented. I have read here.

2. And also say i input javascript:void(document.bgColor="blue") in the browser address bar, this changes the whole site background color to blue. How can javascript injection through the address bar be prevented.

Thanks.

• javascript
• php
• jquery
• mysql
• code-injection

Share Improve this question Follow asked Jul 27, 2017 at 19:44 diagolddiagold 47522 gold badges77 silver badges3232 bronze badges 2

• Using the filter_input() and filter_input_array() functions are typically the better approach. You should pletely avoid using the superglobals $_GET and $_POST, etc, – Octopus Commented Jul 27, 2017 at 19:47
• Not even famous websites have that strong protection. Facebook has a good protection, and it still can call function, depending on browser ofc – Djordje Vujicic Commented Jul 27, 2017 at 19:54

Add a ment  | 

4 Answers 4

Sorted by: Reset to default 3

i suggest to use htmlspecialchars when ever you want to output something to browser

echo htmlspecialchars($data, ENT_QUOTES, 'UTF-8');

checkout this

For question 2, I'm not sure if that's even possible to prevent. It's not something I've ever considered before. It sounds like you're trying to prevent executing any javascript that wasn't included by you on the page, which would also mean blocking the devtools in the browser from executing anything in the console. This could potentially be hostile to your users, e.g. if they wanted to use a bookmarklet from Instapaper.

For 1, ultimately your goal is to avoid including this injected javascript from the form when you generate a new page. When you output the data from the form, you can wrap it in htmlspecialchars.

It's depend which output you are trying to get.

In some cases , you'll want to leave the HTML tags including script tags ,but you want that those elements will not run when you output them, in that case you should use htmlspecialchars($_POST['data']), (It's suggested to define also utf8 as the third parameter).

But if you want to remove entierly the tags than strip_tags will prevent XSS

One function cannot fully protect you from script injection. Consider the following program:

<?php
if(isset($_POST['height'])) 
  $height=htmlspecialchars($_POST['height'], ENT_QUOTES, 'UTF-8');
else $height=200;
if(isset($_POST['width'])) 
  $height=htmlspecialchars($_POST['width'], ENT_QUOTES, 'UTF-8');
else $width=300;
echo("
<!DOCTYPE html>
<html>
<body>
<iframe src='whatever' height=$height width=$width>
</iframe>
</body>
</html>
");

The input is sanitized, but javascript will still be executed through a simple injection vector like:

300 onload=alert(String.fromCharCode(88)+String.fromCharCode(83)+String.fromCharCode(83))

You still need to quote your attributes or you are vulnerable like this example.

Another semi-mon injection vector exists when user input is echoed into javascript ments, and you can inject new lines or close the ment. I blame it on the 'this shit doesn't work as it should, but let's keep it around in a ment'-style of development.

Note: The XSS protection of many browsers will not run my simple example. If you want to try it use one without protection, or find a vector that defeats it (not sure if there is one for e.g. Chrome).

Say i have a form with which user inputs some information and is submited to server using php and in PHP code i have say

$data = $_POST['data'];
// or
$data = strip_tags(@$_POST['data']);

1. I want to know of the strip_tags() is enough to stop javascript injection through html forms. If not how else can this be prevented. I have read here.

2. And also say i input javascript:void(document.bgColor="blue") in the browser address bar, this changes the whole site background color to blue. How can javascript injection through the address bar be prevented.

Thanks.

Say i have a form with which user inputs some information and is submited to server using php and in PHP code i have say

$data = $_POST['data'];
// or
$data = strip_tags(@$_POST['data']);

1. I want to know of the strip_tags() is enough to stop javascript injection through html forms. If not how else can this be prevented. I have read here.

2. And also say i input javascript:void(document.bgColor="blue") in the browser address bar, this changes the whole site background color to blue. How can javascript injection through the address bar be prevented.

Thanks.

• javascript
• php
• jquery
• mysql
• code-injection

Share Improve this question Follow asked Jul 27, 2017 at 19:44 diagolddiagold 47522 gold badges77 silver badges3232 bronze badges 2

• Using the filter_input() and filter_input_array() functions are typically the better approach. You should pletely avoid using the superglobals $_GET and $_POST, etc, – Octopus Commented Jul 27, 2017 at 19:47
• Not even famous websites have that strong protection. Facebook has a good protection, and it still can call function, depending on browser ofc – Djordje Vujicic Commented Jul 27, 2017 at 19:54

Add a ment  | 

4 Answers 4

Sorted by: Reset to default 3

i suggest to use htmlspecialchars when ever you want to output something to browser

echo htmlspecialchars($data, ENT_QUOTES, 'UTF-8');

checkout this

For question 2, I'm not sure if that's even possible to prevent. It's not something I've ever considered before. It sounds like you're trying to prevent executing any javascript that wasn't included by you on the page, which would also mean blocking the devtools in the browser from executing anything in the console. This could potentially be hostile to your users, e.g. if they wanted to use a bookmarklet from Instapaper.

For 1, ultimately your goal is to avoid including this injected javascript from the form when you generate a new page. When you output the data from the form, you can wrap it in htmlspecialchars.

It's depend which output you are trying to get.

In some cases , you'll want to leave the HTML tags including script tags ,but you want that those elements will not run when you output them, in that case you should use htmlspecialchars($_POST['data']), (It's suggested to define also utf8 as the third parameter).

But if you want to remove entierly the tags than strip_tags will prevent XSS

One function cannot fully protect you from script injection. Consider the following program:

<?php
if(isset($_POST['height'])) 
  $height=htmlspecialchars($_POST['height'], ENT_QUOTES, 'UTF-8');
else $height=200;
if(isset($_POST['width'])) 
  $height=htmlspecialchars($_POST['width'], ENT_QUOTES, 'UTF-8');
else $width=300;
echo("
<!DOCTYPE html>
<html>
<body>
<iframe src='whatever' height=$height width=$width>
</iframe>
</body>
</html>
");

The input is sanitized, but javascript will still be executed through a simple injection vector like:

300 onload=alert(String.fromCharCode(88)+String.fromCharCode(83)+String.fromCharCode(83))

You still need to quote your attributes or you are vulnerable like this example.

Another semi-mon injection vector exists when user input is echoed into javascript ments, and you can inject new lines or close the ment. I blame it on the 'this shit doesn't work as it should, but let's keep it around in a ment'-style of development.

Note: The XSS protection of many browsers will not run my simple example. If you want to try it use one without protection, or find a vector that defeats it (not sure if there is one for e.g. Chrome).

本文标签： phpPreventing JavaScript InjectionStack Overflow