I have this code to echo out a username of a user that has just logged in:
echo $_SESSION['user']['username']."
Would I be right in thinking that if I change my code to:
echo htmlspecialchars $_SESSION['user']['username']."
i am protecting myself from low level XSS atleast?
分享 The function htmlspecialchars does not encode single quotation(') by default, if your user name echo in an html attribute or inside javascript, there would be XSS!
For example:
<script>
name='$YOUR_NAME_HERE$';
</script>
We can set the user name to ';alert('xss');// So the browser will generate the html content like this
<script>
name='';alert('xss');//';
</script>
And my advice to you is:
echo htmlspecialchars($_SESSION['user']['username'], ENT_QUOTES);
