The trouble with htmlentities is that if there is an html entity in the input stream, it will convert the lead ampersand , &, to &, thereby ruining all the input entities
Thank you very much for this! I'm a self taught newbie so bear with me. This script, should it be included in an existing php file, say for a form, or should it be created?
Hi John, I really like the video and I know how much work goes into it doing them. Nice job! I did want to mention that you compare htmlentities and htmlspecialchars as hammer vs surgical in solving XSS. I am fairly certain that both were not strictly intended to thwart XSS but both have addresses the need of displaying HTML on a webpage without it being interpreted as HTML. But as escaping became required, these function also fill the need quite well. As for htmlentities being a hammer. Being francophone I know all to well the need for entities when accented characters are in use. So htmlentities is required when displaying accented characters regardless of XSS. So not really XSS specific. On the subject of XSS, it appears to me we should store the data after first processing it since it although it is escaped when presented on the indented site, it may also be displayed when consulting the DB with tools such as PhpAdmin or other custom solutions. Do you see a downside?
+Karl Brouillette I've never seen a program use htmlentities or htmlspecialchars on the way IN to a database. Of course, you do database escaping to protect against injection attacks, etc... but for preventing XSS attacks you want to escape at the point the text is being output so you know the final output is escaped.
+John Morris Thanks John! I understand that the concern is when our data is being output by our Php code so we escape it. But if using browser based tools which we did not develop, similar to PhpAdmin, then that tool could be outputting it without escaping. Locally, this is probably not an issue, but when using these browser based tools of your web hosting provider, that could result in an un handled XSS attack. Maybe I am missing something. In any case, thank you I like your work. I'll experiment on my end to further improve my knowledge.
Great tutorial , I would like to ask one question In my site , I am using htmlspecialchars to sanitize user input , do I still need to use htmlspecialchars for the prevention of Xss ? Thanks
That's enough, I use it on user input then store it in the database, when I echo I dont use anything! .. ** I tried to use it on echo as well but it showed the characters un-encoded ! like if any user writes double quotes or single quotes it will echo a bunch of weird characters which we dont want ! ..
dear john I have make a form on which users can view their own data after login but there is a problem that if someone chnge the id number on URL then its show the others data based on the id number how to overcome from it?
Nice video... I am quite new with php i write mostly with jsp the question i want to ask you is: With jsp it goes like this to prevent XSS String str="alert(11);"; Encoder XSS = ESAPI.encoder();//OWASP library str = XSS.canonicalize(str); // encoding to one form ,if UTF-8,UTF-16 ..... str = XSS.encodeForHTML(str); // and then encoded for HTML Did the code with php encode the "input" to one form?if i gave another encoding is this way going to prevent XSS??and not just filtering / .... Thanks allot for the video...
Please can anyone help me,because I tried to stop my data form from submitting but anything does not work i always backup and reset my mobile and even clean with antivirus,and many things I tried but anything does not work when I search anything from Google it shows (CONFIRM FORM RESUBMISSION The Web page requires data that you entered earlier in order to be properly displayed.You can send this data again,but by doing so you will repeat any action this page previously performed Reload this web page, Press the Reload button to resubmit the data needed to load the page) somebody has stolen my password my bank account numbers and email password everything even somebody open my Facebook account when I'm offline and messages my friends and when I see security and login and I find my Facebook is logged in with different device like computer,and unknown device which Facebook don't find, the place that Facebook was logged in ,that place i never visit like Mumbai, Delhi, kolkata,pune,hyderabad and now near by places like assam tinsukia, near gauhati and these place i even don't know - Dibrugarh,India. Sual kuchi, India. Sonitpur,India. I'm tired so please help to remove the form submission
Because that strips it all together. There can be legitimate cases for displaying it while not rendering it... like displaying source code in a blog post for example.
***** what are you talking about? I'm referring to when you said "htmlentities() will ruin all the html entitiews" so I said "who cares".. Prove me wrong .... who would care (except an attacker) that the developer used htmlentities. Also you saying "XSS injections can insert unwanted JavaScript into your browser, so yeah it affects the user" is like saying humans need air to breath LMFAO obviously
Wow this is exactly what I have been looking for and it popped up in my inbox!
Cugru Cubing Lol. Glad to hear!
Nice video as always John. The great thing was the very clear explanation between htmlentities and htmlspecialchars. Great !
Play this at a speed of 1.25 if you think he speaks too slow
The trouble with htmlentities is that if there is an html entity in the input stream, it will convert the lead ampersand , &, to &, thereby ruining all the input entities
nice explanation.. :D great
We can also prevent XSS attack by just using strips_tag() function!! Whats your opinion on it??
Thank you very much for this! I'm a self taught newbie so bear with me. This script, should it be included in an existing php file, say for a form, or should it be created?
Hi John, I really like the video and I know how much work goes into it doing them. Nice job!
I did want to mention that you compare htmlentities and htmlspecialchars as hammer vs surgical in solving XSS. I am fairly certain that both were not strictly intended to thwart XSS but both have addresses the need of displaying HTML on a webpage without it being interpreted as HTML. But as escaping became required, these function also fill the need quite well.
As for htmlentities being a hammer. Being francophone I know all to well the need for entities when accented characters are in use. So htmlentities is required when displaying accented characters regardless of XSS. So not really XSS specific.
On the subject of XSS, it appears to me we should store the data after first processing it since it although it is escaped when presented on the indented site, it may also be displayed when consulting the DB with tools such as PhpAdmin or other custom solutions. Do you see a downside?
+Karl Brouillette I've never seen a program use htmlentities or htmlspecialchars on the way IN to a database. Of course, you do database escaping to protect against injection attacks, etc... but for preventing XSS attacks you want to escape at the point the text is being output so you know the final output is escaped.
+John Morris Thanks John!
I understand that the concern is when our data is being output by our Php code so we escape it. But if using browser based tools which we did not develop, similar to PhpAdmin, then that tool could be outputting it without escaping. Locally, this is probably not an issue, but when using these browser based tools of your web hosting provider, that could result in an un handled XSS attack. Maybe I am missing something.
In any case, thank you I like your work. I'll experiment on my end to further improve my knowledge.
Great tutorial ,
I would like to ask one question
In my site , I am using htmlspecialchars to sanitize user input , do I still need to use htmlspecialchars for the prevention of Xss ? Thanks
That's enough, I use it on user input then store it in the database, when I echo I dont use anything! ..
** I tried to use it on echo as well but it showed the characters un-encoded ! like if any user writes double quotes or single quotes it will echo a bunch of weird characters which we dont want ! ..
dear john I have make a form on which users can view their own data after login but there is a problem that if someone chnge the id number on URL then its show the others data based on the id number how to overcome from it?
Could this prevent an xss attack that is encoded?
Hi dude, You have this
Nice video...
I am quite new with php i write mostly with jsp
the question i want to ask you is:
With jsp it goes like this to prevent XSS
String str="alert(11);";
Encoder XSS = ESAPI.encoder();//OWASP library
str = XSS.canonicalize(str); // encoding to one form ,if UTF-8,UTF-16 .....
str = XSS.encodeForHTML(str); // and then encoded for HTML
Did the code with php encode the "input" to one form?if i gave another encoding is this way going to prevent XSS??and not just filtering / ....
Thanks allot for the video...
Please can anyone help me,because I tried to stop my data form from submitting but anything does not work i always backup and reset my mobile and even clean with antivirus,and many things I tried but anything does not work when I search anything from Google it shows (CONFIRM FORM RESUBMISSION The Web page requires data that you entered earlier in order to be properly displayed.You can send this data again,but by doing so you will repeat any action this page previously performed Reload this web page, Press the Reload button to resubmit the data needed to load the page) somebody has stolen my password my bank account numbers and email password everything even somebody open my Facebook account when I'm offline and messages my friends and when I see security and login and I find my Facebook is logged in with different device like computer,and unknown device which Facebook don't find, the place that Facebook was logged in ,that place i never visit like Mumbai, Delhi, kolkata,pune,hyderabad and now near by places like assam tinsukia, near gauhati and these place i even don't know - Dibrugarh,India. Sual kuchi, India. Sonitpur,India. I'm tired so please help to remove the form submission
what ide are you using?
why not use strip_tags instead?
Because that strips it all together. There can be legitimate cases for displaying it while not rendering it... like displaying source code in a blog post for example.
John Morris True dat. But htmlentities() will ruin all the html entitiews, ironic
+DawnOfTheDead991 who cares? lol
troll? I'm saying "who cares" because nobody is even getting affected on the user end so why would it matter at ALL? Your use of irony is incorrect.
***** what are you talking about? I'm referring to when you said "htmlentities() will ruin all the html entitiews" so I said "who cares".. Prove me wrong .... who would care (except an attacker) that the developer used htmlentities.
Also you saying "XSS injections can insert unwanted JavaScript into your browser, so yeah it affects the user" is like saying humans need air to breath LMFAO obviously