Menu
I had read OWASP's XSS Prevention Cheat Sheet a long time ago and made a wrapper function to include JSON_HEX_TAG|JSON_HEX_APOS|JSON_HEX_QUOT|JSON_HEX_AMP by default so I would be safe. Or so I thought until a user at Freenode/##php told me that was unsafe. OWASP was apparently saying to put JSON into an element, have javascript grab it's contents, and parse it.
This is the worst I could come up with and json_encode() still made it safe. Can anyone think of a string that could break through?
Source:
<script>//<![CDATA[
window.data=<?php echo json_encode(
"]]>\"'</script><script>alert(document.cookie)</script>"
,JSON_HEX_TAG|JSON_HEX_APOS|JSON_HEX_QUOT|JSON_HEX_AMP
);?>;
//]]></script>
Output:
<script>//<![CDATA[
window.data="]]\u003E\u0022\u0027\u003C\/script\u003E\u003Cscript\u003Ealert(document.cookie)\u003C\/script\u003E";
/*]]></script>
292
Probably the best solution to this would be to make sure that your servers PHP is up to date. i like to use 5.5.21 as its the latest full release, any above it are available but not properly "released". If you're worried about any possible exploits, read through php.net's latest news and search through some of the specific CVE's that they mention. Those are references to exploits that have been patched.
58
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
