Bypass htmlspecialchars

[benjikt]

Hi everyone, can you tell me how to bypass htmlspecialchars, search in google but nothing then can help me , i just try with small html form and one text field  php code:

Code: (php) [Select]

<?php
if(isset($_POST['go']))
{
     echo htmlspecialchars($_POST['text']);
}
?>

[ande]

What do you mean bypass? As in bypass it to create an XSS? Not possible afaik. htmlspecialchars() is made for this exact purpose, filter/convert "bad" characters often used in XSS. Personally I use htmlentities() instead of htmlspecialchars().

[Kanade]

It is not possible, unless the page uses UTF-7. (/dated URI)
For htmlentities () it is bypassable if he is badly configured, for example with:

 .' onevent ='prompt(/XSS/);

[benjikt]

ok and what is the conclusion, when use PDO and htmlspecialchars, my system is 100% protected ? , i mean how to make a xss when this thing use?
Sorry for my bad English

[ande]

Using PDO does not guarantee security. If you use PDO correctly on the other hand, binding parameters with bindParam/bindValue or sending them as an array to the execute function you are secure.

Quote from http://php.net/manual/en/function.htmlspecialchars.php

a common confusion among beginner is that what is the difference between htmlentities() and htmlspecialchars() really, because the manual examples are converting angular brackets for both.

well, htmlentities() will ALSO look for other language characters in the string e.g German, French or Italian etc. So if you think your attacker can use some foreign language characters for a XSS attack in URL etc then use htmlentities() instead of htmlspecialchars().

I hope it helps,

Haroon Ahmad

But if you use htmlentities() instead you probably want to read this: (quote from http://php.net/manual/en/function.htmlentities.php)

An important note below about using this function to secure your application against Cross Site Scripting (XSS) vulnerabilities.

When printing user input in an attribute of an HTML tag, the default configuration of htmlEntities() doesn't protect you against XSS, when using single quotes to define the border of the tag's attribute-value. XSS is then possible by injecting a single quote:

<?php
$_GET['a'] = "#000' onload='alert(document.cookie)";
?>

XSS possible (insecure):

<?php
$href = htmlEntities($_GET['a']);
print "<body bgcolor='$href'>"; # results in: <body bgcolor='#000' onload='alert(document.cookie)'>
?>

Use the 'ENT_QUOTES' quote style option, to ensure no XSS is possible and your application is secure:

<?php
$href = htmlEntities($_GET['a'], ENT_QUOTES);
print "<body bgcolor='$href'>"; # results in: <body bgcolor='#000' onload='alert(document.cookie)'>
?>

The 'ENT_QUOTES' option doesn't protect you against javascript evaluation in certain tag's attributes, like the 'href' attribute of the 'a' tag. When clicked on the link below, the given JavaScript will get executed:

<?php
$_GET['a'] = 'javascript:alert(document.cookie)';
$href = htmlEntities($_GET['a'], ENT_QUOTES);
print "<a href='$href'>link</a>"; # results in: <a href='javascript:alert(document.cookie)'>link</a>
?>

[proxx]

ok and what is the conclusion, when use PDO and htmlspecialchars, my system is 100% protected ? , i mean how to make a xss when this thing use?
Sorry for my bad English

Apart from all of this jazz; even saying something like  '100% protected' is an illusion.

[lucid]

'100% protected'

Saying this statement anywhere, at anytime, about anything, is pure illusion

[chapp]

Saying this statement anywhere, at anytime, about anything, is pure illusion

Well no it isn't and it's a common misconception to think so. Chances are that every system with more than a couple hundred LOC and running on top of other software is vulnerable in some way, but 100% secure do indeed exist.

[lucid]

Perhaps you are right, so let me rephrase. Nothing stays 100% secure forever.