- From: Kornel Lesiński <kornel@geekhood.net>
- Date: Thu, 26 Aug 2010 09:00:59 +0100
On 25.08.2010, at 23:46, Aryeh Gregor wrote:
>> These cases can be secured without any new features in browsers (by escaping whitespace using numeric entities):
>>
>> function htmlescape($str) {
>> return preg_replace('/[\s<>"\'&]/e','"&".ord("$0").";"',$str);
>> }
>
> That doesn't work in <script> for text/html, does it?
Ah, indeed.
Another tricky case came to my mind, which entities cannot secure (unless special magic is defined for the new entity):
onclick="show('&base64;')"
> These are reasonable points. How many vulnerabilities would it
> actually prevent in practice if htmlspecialchars() were replaced with
> this everywhere? XSS is usually when you don't escape things at all,
> not when you escape them in a slightly wrong way. Easy escaping in
> <script> and <style> would be nice, though (or is there already some
> way to do that?).
In PHP json_encode() works great for outputting data in JS (and can be configured to JS-escape HTML-unsafe chars too), but I feel like I'm the only person who knows about it :)
--
regards, Kornel Lesi?ski
Received on Thursday, 26 August 2010 01:00:59 UTC