In the method 'htmlentities' in the Security class, ENT_COMPAT is used.
Is this for a particular reason? Isn't ENT_QUOTES safer? Injection could still be done with single quotes.
Thanks.
Carl
ENT_QUOTES is a bit safer.
PoC
HTML: <img src='foo.img' width='<php echo htmlentities($width) >' />
Input: 300' style='xss:[removed]bad_javascript_here)
Output: <img src='foo.img' width='300' style='xss:[removed]bad_javascript_here)' />
And I want add my questions:
why using htmlentities instead of htmlspecialchars?
why double_encode is false?
You can use whatever you want, FuelPHP doesn't enforce anything. We even provide htmlawed as vendor package in the core if you want to filter for every eventuality.
And no matter what you do (except removing parts of the input), I can come up with a way to work around it.
In that respect, you're example is quite rediculous. Nobody would have an input field like that, and if they do, they should run a validation rule on it to make sure the input is numeric, no decimals, and 0 or a positive number...
And what is "double_encode"?
Thank you for you reply.
My example is just a concept. The essence is that if a HTML coder uses single quotes it has risks.
The below might be not rediculous.
HTML: <input type='hidden' name='body' value='<?php echo $body; ?>' />
Input: ' [removed]alert('xss');[removed]<'
xss_filter removes my input
I want to write "single quote, script tag, alert('xss'); closed script tag ..."
And you are good programmer, so you validate all input correctly. But I do not believe there are all good programmers.
double_encode is the 4th parameter of htmlentities(): http://php.net/htmlentities
P.S. I don't know why, but I can't use Formatting buttons of the forum.
Donate
