I have staff.php
page which contains staff's name,position and detail.When user would need to edit staff info,they would be send to edit.php
page.edit.php
page show name and title on text field
and detail on a textarea
My question is,do I even need htmlspecialchars
in edit.php
page.I am not printing anything to users page,only on that fields.But I'm using htmlspecialchars
on staff.php
before printing to user.
Is it still open to XSS Attack
?
Code
part from staff.php
$staff.="<div id='sob'>".htmlspecialchars($title)."<br>".htmlspecialchars($sub_title)."<div><a href='edit.php?pid=".htmlspecialchars($pro_id)."'><input type='submit' id='editx' name='editx' value='Edit'></a></div><div id=''><br>".htmlspecialchars($detail)."</div><hr id='h'></div>";
part from edit.php
if(isset($_GET["pid"])){
$name4=$title; //
$sub_title4=$sub_title; //using prepared statement
$detail4=$detail; //
}
HTML part at edit.php
<input type='text' id='staff_name' name='staff_name' value="<?php echo $name4;?>" required>
</br><input type='text' id='staff_pos' name='staff_pos' value="<?php echo $sub_title4;?>" required>
</br><textarea id='staff_detail' name='staff_detail' cols='30' rows='6' required><?php echo $detail4;?></textarea></br>
Protection against XSS isn't just necessary when variables are to be displayed on the screen; it is needed whenever user-generated values are used to build HTML markup, whatever the context.
It is necessary to call htmlspecialchars()
on a PHP variable placed inside a <textarea>
. Consider the following:
<?php
// Unsafe text in the variable
$detail4 = '</textarea><script>alert("XSS!");</script>';
?>
<textarea><?php echo $detail4; ?></textarea>
This results in a closed </textarea>
followed by an unsafe injected script (and another closing </textarea>
the browser will probably ignore).
It is also necessary to call htmlspecialchars()
on the variables placed into value=""
attributes, choosing the appropriate constant to ensure internal quotes in the variables are correctly encoded to prevent the attribute being prematurely ended with a quote. If you consistently use double quotes on the attributes, you can accept the default of ENT_COMPAT
, but if you sometimes quote attributes with single quotes, use ENT_QUOTE
.
<input type='text' name='staff_pos' value="<?php echo htmlspecialchars($sub_title4, ENT_QUOTES);?>" ...>
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With