PHP: best security practices for displayed information?

Question

In PHP, I know that using parameterized queries is the best way to prevent SQL injection.

But what about sanitizing user input that will be used for other purposes, such as:

• Displaying back to a user (potential cross-site scripting vector)
• Addressing an email or filling in the message body

Is htmlentities() the best way to sanitize for non-database usage? What is considered to be best practice here?

Answer 1

In php the best xss filter is:

htmlspecialchars($_POST['param'],ENT_QUOTES);

The reason why you also have to encode quotes is becuase you don't need <> to exploit some xss. for instance this is vulnerable to xss:

print('<A HREF="http://www.xssed.com/'.htmlspecialchars($_REQUEST[xss]).'">link</a>');

You don't need <> to execute javascript in this case because you can use onmouseover, here is an example attack:

$_REQUEST[xss]='" onMouseOver="alert(/xss/)"';

the ENT_QUOTES takes care of the double quotes.

E-mail is a bit different, javascript shouldn't be executed by the mail client, and if it is then your site isn't affected due to the Same Origin Policy. But to be on the safe side I would still use htmlspecialchars($var,ENT_QUOTES);. HOWEVER, PHP's mail() function can succumb to a different type of vulnerability, its called CRLF injection. Here is an example vulnerability against PHP-Nuke. If you have a function call like this: mail($fmail, $subject, $message, $header); Then you must make sure that a user cannot inject \r\n into $header.

Vulnerable code:

$header="From: \"$_GET[name]\" <$ymail>\nX-Mailer: PHP";

patched:

$_GET[name]=str_replace(array("\r","\n"),$_GET[name]);
$header="From: \"$_GET[name]\" <$ymail>\nX-Mailer: PHP";

Answer 2

You may also want to checkout HTML Purifier which will strip any dangerous HTML and leave on safe input. You can also create your own rules on what HTML to allow/disallow.

http://htmlpurifier.org/