Is addslashes() safe to prevent XSS in a HTML attribute?

I'm having to work on an old web app that a previous developer left. It is using addslashes() to prevent XSS on a HTTML attribute.

Here is an example:

<?php
  // all $_POST vars are put through addslashes()

  echo "<input type='hidden' value='" . $_POST['id'] . "' />";
?>

Is this vulnerable to XSS? Is there any way javascript can run in a value attribute like it can in an src attribute for example, src='javascript:alert(99)'. Or can the value attribute be broken out of and then script tags can be inserted?

Edit: Thanks to Quentin, I believe it is vulnerable.

Answers


Is addslashes() safe to prevent XSS in a HTML attribute?

It is highly ineffective.

Is this vulnerable to XSS?

Yes.

Is there any way javascript can run in a value attribute like it can in an src attribute for example, src='javascript:alert(99)'.

No

Or can the value attribute be broken out of and then script tags can be inserted?

The data just has to include a " and the attribute is broken out of.

Use htmlspecialchars when you want to insert an arbitrary string into an attribute value.


Need Your Help

Use Anchor using Html.MenuLink asp.net mvc4

c# html asp.net-mvc-4

I'm using Asp.net MVC4 and i'm trying to add an "anchor" in the Html.MenuLink without rewriting a new MenuLink

Apache + mod_wsgi vs nginx + gunicorn

django apache nginx mod-wsgi gunicorn

I want to deploy a django site (it is the open source edx code on github).

About UNIX Resources Network

Original, collect and organize Developers related documents, information and materials, contains jQuery, Html, CSS, MySQL, .NET, ASP.NET, SQL, objective-c, iPhone, Ruby on Rails, C, SQL Server, Ruby, Arrays, Regex, ASP.NET MVC, WPF, XML, Ajax, DataBase, and so on.