Should I Use Both Striptags() and HTMLspecialchars() to Prevent Xss

Should I use both striptags() and htmlspecialchars() to prevent XSS?

htmlspecialchars() is enough to prevent XSS.

Strip tags removes tags but not special characters like " or ', so if you use strip_tags() you also have to use htmlspecialchars().

If you want users' comments to be displayed like they typed them, don't use strip_tags, use htmlspecialchars() only.

why not using strip_tags() to prevent xss attack instead of htmlspecialchars()?

Because strip_tags doesn't fix every possible abuse case. True, it fixes the worst offenders, but there are other cases, e.g. when inserting values back into <input> tags yourself, where the quotes can be broken out of.

Consider:
<input type="text" value="my string" />

If my string comes from some other data source that isn't XSS-protected, it could conceivable contain something like:
"><script ....

which can use the original closing > of the input tag - and strip_tags may or may not catch that case. I seem to remember it looks for < followed by > which wouldn't be found in the above string.

Using htmlspecialchars and strip_tags for more security

I would recommend using the code in backend for php. Something like this

mysqli_real_escape_string($con, $_POST['variable']). This is a better practice.

Where to use strip_tags() and htmlspecialchars()

Both examples are equal (in output).
The problem I can see is that example #1 overwrites the $_POST data.
I would advise against doing so because you cannot restore the original data at a later point in the script (e.g. if you wish to save the data into a database or output it in a non-HTML context).

---

I somehow misunderstood the question, but this part of my old answer is still applicable.

They are two different functions.

In your case you should only use htmlspecialchars() since this function is meant to escape special HTML characters (<, >, ").

strip_tags() on the contrary strips HTML tags (and some other stuff, see the docs). Do you really want this behavior? I doubt that. Stripping HTML tags differs from escaping them insofar that it really removes the tags. Escaping only "escapes" them so that the browser renders them as normal text.

When used correctly, is htmlspecialchars sufficient for protection against all XSS?

htmlspecialchars() is enough to prevent document-creation-time HTML injection with the limitations you state (ie no injection into tag content/unquoted attribute).

However there are other kinds of injection that can lead to XSS and:

There are no <script> tags in the document.

this condition doesn't cover all cases of JS injection. You might for example have an event handler attribute (requires JS-escaping inside HTML-escaping):

<div onmouseover="alert('<?php echo htmlspecialchars($xss) ?>')"> // bad!

or, even worse, a javascript: link (requires JS-escaping inside URL-escaping inside HTML-escaping):

<a href="javascript:alert('<?php echo htmlspecialchars($xss) ?>')"> // bad!

It is usually best to avoid these constructs anyway, but especially when templating. Writing <?php echo htmlspecialchars(urlencode(json_encode($something))) ?> is quite tedious.

And... injection issues can happen on the client-side as well (DOM XSS); htmlspecialchars() won't protect you against a piece of JavaScript writing to innerHTML (commonly .html() in poor jQuery scripts) without explicit escaping.

And... XSS has a wider range of causes than just injections. Other common causes are:

• allowing the user to create links, without checking for known-good URL schemes (javascript: is the most well-known harmful scheme but there are more)

• deliberately allowing the user to create markup, either directly or through light-markup schemes (like bbcode which is invariably exploitable)

• allowing the user to upload files (which can through various means be reinterpreted as HTML or XML)

PHP htmlspecialchars() function shows html safe tags in page

The method htmlspecialchars is not perfect.

Take a look at htmlpurifier. It is way more powerfull through whitelist filter. With it, your users can write html (such as <p>), and you don't have the risk of XSS.

consider, to use this, before you store it in the database, so you don't need to santize your input on every page view.

When to use Strip_tags and when to use htmlspecialchars()

htmlspecialchars and htmlentities are for displaying text in web pages. It will translate the characters that have special meaning in HTML, such as the < and > characters that surround tags, into their entity codes. For instance, if the string contains

Use <table> to create a table on a web page.

it will be converted to

Use <table> to create a table on a web page.

When you display the string on a web page, you'll then see the intended message correctly.

strip_tags completely removes all the HTML tags. So the above string would be converted to:

Use  to create a table on a web page.

If you display this, it doesn't make much sense. This is often used to sanitize input that isn't really meant for display, and shouldn't contain anything that looks like an HTML tag in the first place, such as usernames. Although it would probably be better to just validate it against whatever rules you have for those values (e.g. usernames should just be alphanumeric characters).

In my opinion, strip_tags() is almost always the wrong tool. It's a simple crutch to prevent XSS attacks, since code without any HTML tags can't introduce scripts. But it's a broad brush that doesn't usually match the specific needs.

And it's generally wrong to do these conversions when processing input. Do them when you're using the data, performing whatever escaping is necessary at that time. So you use mysqli_real_escape_string() if you're substituting the variable into a query (but you really should use prepared statements instead of this), htmlentities() when you're displaying it on a web page, urlencode() when you're putting it into a URL query string, etc.

---

Related Topics