News Feed
Sections




News Archive
Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Pádraic Brady's Blog:
XSS in PHP (Part 1) How Not to Use Htmlspecialchars
March 13, 2012 @ 12:44:27

Pádraic Brady has written up an exhaustive guide to using htmlspecialchars correctly and securely in your applications (though it's technically how "not to use it"). This is part one of a series looking at preventing cross-site scripting in PHP applications.

While it's no harm poking fun at ourselves, in PHP we do have a serious problem. Cross-Site Scripting (XSS) remains one of the most significant classes of security problems afflicting PHP applications. Despite years of education, community awareness and the development of frameworks which can offer a huge boost in consistent practices - things are not getting any better.

So, I finally figured out what the core problem is: PHP programmers are completely clueless about XSS. It's that simple. Instead of going out and studying the topic, we blindly follow some preferred herd of people offering advice with heartfelt conviction despite the fact that they are probably just as ignorant as the rest of us. Does that sound like the behaviour of something which allegedly evolved into an intelligent species? The result is a mix of ignorance and stagnant knowledge that leaves PHP in an unenviable position beset by wrongheaded zealots.

He introduces the htmlspecialchars function and how it has been generally assumed a good method for presenting XSS attacks. He talks about issues with quotes, problems that IE6 seems to have that no one else does and the all-important third parameter of the function (character set detection) and the optional fourth (decoding HTML entities automatically).

He's created this github repository with the examples from the post.

0 comments voice your opinion now!
xss tutorial htmlspecialchars crosssitescripting security


blog comments powered by Disqus

Similar Posts

Acunetix.com: Web Site Security Center

Zend Developer Zone: PHP Security Tips #6 and #7

ThinkPHP Blog: Creating press-ready PDF documents on the fly including individual barcodes

Alex Inführ: PHP non alpha numeric 7 and 6 char code

phpDevelopment Blog: Zend Framework Tutorial Series: Part 3 – Login and Signup with (RE)Captcha


Community Events





Don't see your event here?
Let us know!


tool version framework introduction release security series voicesoftheelephpant podcast update language symfony library package composer laravel application opinion community interview

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework