What makes an input vulnerable to XSS?

by

Indeed just let the server output it so that the input string effectively get embedded in HTML source which get returned to the client.

PHP example:

<!doctype html>
<html lang="en">
    <head><title>XSS test</title></head>
    <body>
        <form><input type="text" name="xss"><input type="submit"></form>
        <p>Result: <?= $_GET['xss'] ?></p>
    </body>
</html>

JSP example:

<!doctype html>
<html lang="en">
    <head><title>XSS test</title></head>
    <body>
        <form><input type="text" name="xss"><input type="submit"></form>
        <p>Result: ${param.xss}</p>
    </body>
</html>

Alternatively you can redisplay the value in the input elements, that’s also often seen:

<input type="text" name="xss" value="<?= $_GET['xss'] ?>">

resp.

<input type="text" name="xss" value="${param.xss}">

This way “weird” attack strings like "/><script>alert('xss')</script><br class=" will work because the server will render it after all as 

<input type="text" name="xss" value=""/><script>alert('xss')</script><br class="">

XSS-prevention solutions are among others htmlspecialchars() and fn:escapeXml() for PHP and JSP respectively. Those will replace among others <, > and " by &lt;, &gt; and &quot; so that enduser input doesn’t end up to be literally embedded in HTML source but instead just got displayed as it was entered.

More Related Contents:

  1. Sanitize/Rewrite HTML on the Client Side
  2. How does Content Security Policy (CSP) work?
  3. Detecting if a browser is using Private Browsing mode
  4. What are “top level JSON arrays” and why are they a security risk?
  5. How do you use window.postMessage across domains?
  6. Cross-site AJAX requests
  7. How to prevent html/JavaScript code modification
  8. Safe value must use [property]=binding after bypass security with DomSanitizer
  9. Check if a file exists locally using JavaScript only
  10. html() vs innerHTML jquery/javascript & XSS attacks
  11. Disable drop paste in HTML input fields? [duplicate]
  12. XSS attacks and style attributes
  13. Embedding youtube video “Refused to display document because display forbidden by X-Frame-Options”
  14. How to detect Ctrl+V, Ctrl+C using JavaScript?
  15. How to show Page Loading div until the page has finished loading?
  16. Jquery load() only working in firefox?
  17. Get Base64 encode file-data from Input Form
  18. Play an audio file using jQuery when a button is clicked
  19. Get element at specified position – JavaScript
  20. AngularJS – ng-disabled not working for Anchor tag
  21. Getting Bootstrap’s modal content from another page
  22. Sort an html list with javascript
  23. jQuery: Slide left and slide right
  24. How to specify download location in Html using JavaScript
  25. How to use JavaScript to change the form action [duplicate]
  26. JavaScript: get code to run every minute
  27. Check if input is number or letter javascript
  28. visibilitychange event is not triggered when switching program/window with ALT+TAB or clicking in taskbar
  29. use text-align smartly (if english dir=ltr if arabic dir=rtl)
  30. D3 put arc labels in a Pie Chart if there is enough space

Leave a Comment