Javascript XSS sanitizes if data is already sanitized using PHP

Question

Javascript XSS sanitizes if data is already sanitized using PHP

Update:

I'm still confused, as always. Can someone answer my last comment?

If all my data (+ title1 + and + title2 + in this example - see below) is sanitized using PHP, do I also need to worry about javascript? I am worried that I use title = '"+ title2 +"' (apostrophes are my concern) in my code below.

HTML \ JavaScript:

 <div id="verification"></div>

 <script>


function update() {
    $.ajax({
    url: 'update.php', //php          
    data: "", 
    dataType: 'json',   
    success: function (data) {
        //on receive of reply
        var title1 = data[0];
        var title2 = data[1];          

        $('#verification').html("<img src=images/test"+title1+".gif title='"+title2+"'></img>");     //output to html
        }
    });
}

</script>

json answer

["1","test test test"]

output (as text Mouseover with title)

test test test

php (skipped php cleanup process)

$result = mysql_query("SELECT title1, title2 FROM users WHERE username = '$foobar'")
or die(mysql_error());
$array = mysql_fetch_row($result);
echo json_encode($array);

+4

javascript jquery php

michelle Aug 29 '15 at 21:47

source share

1 answer

Keith · Accepted Answer · 2015-08-31T02:45:52+0000

There are two different elements to consider:

: (PDO mysqli), SQL-
: , , XSS

"" PDO/mysqli, - .

Javascript XSS sanitizes if data is already sanitized using PHP

I'm still confused, as always. Can someone answer my last comment?

More articles: