All geek questions in one place

Does the filter protect the array from xss?

Today some kind of code appeared that had a javascript array made in php, using only php addslashes () for disinfection. At first, I thought it was an easy XSS vulnerability, but I could not see its flaw . Here is an example of what I am saying:

foo.php

$itemList = "["; foreach ($array as $item) { $itemList .= "'".addslashes($item)."',"; } $itemList = "'']";

bar.html

 <script> var a = <?php echo $itemList; ?> </script>

Obviously something like ']; alert("xss"); b=[' ']; alert("xss"); b=[' ']; alert("xss"); b=[' will not be effective because it will be converted to \']; alert(\"xss\"); b=[\' \']; alert(\"xss\"); b=[\' \']; alert(\"xss\"); b=[\' . So is it really safe and my code smell doesn't exist?

`

`

Edit:

Can someone show me how this does not work? I know this is not the best practice, and I would not use this in my code, but if I want to rewrite the code, I need proof to convince others

+4
source share
1 answer

No, no, no, no, no, no .

Use the correct function for the correct job.

addslashes not an escape function for any context, it just adds slashes.

If you are printing in HTML, use htmlentities (or htmlspecialchars , if applicable).

If you are printing in JavaScript, use json_encode .

If you are building a MySQL query, use mysql_real_escape_string

and etc.

Opponents for abuse when using addslashes instead of json_encode is, for example, the line: "</script><iframe src=hxxp://phising.mywebsite.com>"

This will end the script and insert the iframe from an untrusted and potentially dangerous domain.

+6
source

Source: https://habr.com/ru/post/1411823/

More articles:


All Articles