Will htmlentities avoid all XSS in php?

Hi all,

Question: If I use htmlentities($orginalString,ENT_QUOTES) everywhere I
output anything to the browser that originated from userinput, will an
XSS attack be possible?

I think not, but I found a lot of different ways to XSS related on the
net (like DNS rebinding: http://en.wikipedia.org/wiki/DNS_rebinding).
As far as I can see DNS-rebinding is useless as long as the JavaScript
will not be executed.

Is htmlentities enough?
Should I also use the third parameter for htmlentities (charset)?
What do you do to protect your sites against XSS?

Regards,
Erwin Moller

Re: Will htmlentities avoid all XSS in php?

On 24 Jan, 11:05, Erwin Moller
wrote:
> Hi all,
>
> Question: If I use htmlentities($orginalString,ENT_QUOTES) everywhere I
> output anything to the browser that originated from userinput, will an
> XSS attack be possible?
>
> I think not, but I found a lot of different ways to XSS related on the
> net (like DNS rebinding:http://en.wikipedia.org/wiki/DNS_rebinding).
> As far as I can see DNS-rebinding is useless as long as the JavaScript
> will not be executed.
>
> Is htmlentities enough?
> Should I also use the third parameter for htmlentities (charset)?
> What do you do to protect your sites against XSS?
>
> Regards,
> Erwin Moller

Your just eliminating one vector for the CSS attack. Admittedly its
the one most commonly exploited.

Not sure how you would leverage DNS rebinding as a CSS attack - but it
doesn't stop javascript from executing -
browser requests page from (redirected to bad server) site
js file referenced by page is loaded by browser from (redirected to
bad server) site, comes back with headers to say cache this for a
year.
(DNS changed to point to 'good' server)
Browser is now running the bad server's js file on the good servers
pages

Sure - its difficult (although far from impossible) to steal
somebodies Domain - but ICMP redirection? Competing DHCP?

Your proposal is a good start, but don't assume that it eliminates all
possible CSS attacks.

C.

Re: Will htmlentities avoid all XSS in php?

Erwin Moller wrote:

> Question: If I use htmlentities($orginalString,ENT_QUOTES) everywhere I
> output anything to the browser that originated from userinput, will an
> XSS attack be possible?

Well, you'd still be vulnerable to bugs in htmlentities() itself. For
example, I've not checked how well it copes with overlong forms in Unicode.

For those who don't know what an overlong form is, UTF-8 stores ASCII
characters as 1 byte; accented characters, the Greek alphabet and a few
other small alphabets as 2 bytes; most other characters are 3 bytes; but a
few oddball characters are 4 bytes. However, it's theoretically possible
to store, say, a character that would normally be a 1 byte character as a
2, 3 or even 4 byte character. That way naive string processors looking
for, say, '<' in a string might not be able to find it.

Overlong forms like this are prohibited in the UTF-8 spec, but this
prohibition is often not properly enforced by decoders, and can lead to
vulnerabilities.

--
Toby A Inkster BSc (Hons) ARCS
[Geek of HTML/SQL/Perl/PHP/Python/Apache/Linux]
[OS: Linux 2.6.17.14-mm-desktop-9mdvsmp, up 25 days, 45 min.]

CSS to HTML Compiler
http://tobyinkster.co.uk/blog/2008/01/22/css-compile/