0

I am considered about XSS vulnerability!

I have web site, where All data b/w web server and client is transferred via XHR - JSON and browser javascript doing the rest to display the site.

When client submit data, here is my code BEFORE data to be recorded in DB (PHP):

$string = trim($_POST['user_input']);
$string = strip_tags($string);
$string = mysql_real_escape_string($string);

When the server getting data form database PHP code is following:

$string = htmlspecialchars($db_value);

and then 

header('Content-Type: application/json; charset=utf-8');
print json_encode($string);

Is this enough to protect me against XSS?

Improve this question
5
  • If you're sending a normal XMLHttpRequest you're not prone to XSS unless you actually place the response content you loaded from the AJAX anywhere. Where/how do you present it to the user? Commented Feb 7, 2013 at 0:18
  • Just to mention, you can put all of those functions in one line of code. $string = trim(htmlspecialchars(strip_tags($_POST['string']))); Commented Feb 7, 2013 at 0:35
  • @Brad thanks mate, i know but in the question i've wrote them separated just to be easier for read. Commented Feb 7, 2013 at 0:57
  • JSON_HEX_TAG | JSON_HEX_APOS | JSON_HEX_AMP | JSON_HEX_QUOT) options for escaping HTML special chars and header("X-Content-Type-Options: nosniff") for IE are also needed. Commented Sep 3, 2013 at 5:32
  • You mean to say that you are concerned about XSS vulnerability. Commented Sep 27, 2015 at 20:02

2 Answers 2

Reset to default
2

As a general rule of thumb, the other answer here is not correct. Using application/json for your content-type will fix some problems, but many clients tend to extract data from a JSON object and display it on a page. This leads to a classic attack.

The ONLY reliable method to stop XSS (and I say reliable because it's not fool-proof) is to sanitize data on the inbound stream (rejecting requests entirely is probably a better call) and encoding ALL output that has the potential to be displayed (ie: anything the user could have modified).

Also, don't accept the idea that methods not designed for security are inherently secure (json_encode is not meant for XSS security, and should not be used as such). Any suggestion that normal security practices are not necessary because of X should be viewed with skepticism if not outright disregarded.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

That really depends. If the contents of $string post json_encode contain HTML entities and are displayed as html on a page then you would be vulnerable to XSS. If that's not the case (and it's not since you're using application/json anyway) then not only is there no need to use htmlspecialchars, it's probably undesirable because it alters the raw data you are trying to transfer via JSON.

I won't say that you are completely invulnerable to XSS because it is limited only by the imagination of evil people, but I would say that header('Content-Type: application/json;') provides sufficient protection in this instance.

On an unrelated note, stop using ext/mysql.

Improve this answer

3 Comments

okay, so i'll give you an example, if i dont htmlspecialchars() before sending JSON to client, in this case i am completely vulnerable. <div id="container" data-string="+AJAX_RESULT.STRING+"></div>
@OlegPopov not necessarily; it depends on how it is going to be consumed by the client. Is it displayed as HTML? Probably not
Yep, actually is displayed as normal HTML. if STRING is " onmouseover="alert('WTF!')" - it's alerting. Thats why i am using htmlspecialchars($string).

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.