Is addslashes() safe to prevent XSS in a HTML attribute?

Question

I'm having to work on an old web app that a previous developer left. It is using addslashes() to prevent XSS on a HTTML attribute.

Here is an example:

<?php
  // all $_POST vars are put through addslashes()

  echo "<input type='hidden' value='" . $_POST['id'] . "' />";
?>

Is this vulnerable to XSS? Is there any way javascript can run in a value attribute like it can in an src attribute for example, src='javascript:alert(99)'. Or can the value attribute be broken out of and then script tags can be inserted?

Edit: Thanks to Quentin, I believe it is vulnerable.

Answer 1

Is addslashes() safe to prevent XSS in a HTML attribute?

It is highly ineffective.

Is this vulnerable to XSS?

Yes.

Is there any way javascript can run in a value attribute like it can in an src attribute for example, src='javascript:alert(99)'.

No

Or can the value attribute be broken out of and then script tags can be inserted?

The data just has to include a " and the attribute is broken out of.

Use htmlspecialchars when you want to insert an arbitrary string into an attribute value.