Skip to content
Advertisement

Prevent XSS attacks when echoing HTML using PHP

I have a simple bimple function which echoes this:

echo '<button name="wooba" onclick="alert(this.name)">Say name</button>'

This just works fine, but If a user edits the HTML using a Chrome or Firefox, he can modify the code to output something like:

echo '<button name="wooba" onclick="alert('XSS :D')">Say name</button>'

I have set the only http on the php ini relating the cookies, but is there any way to prevent the user from modifying and successfully changing the site’s javascript?

Thanks!

Advertisement

Answer

Once the document reaches a user’s browser it is theirs to manipulate how they like. This in itself isn’t XSS. An XSS exploit exists when a bad actor can inject a script in other people’s document. In your example, so long as this.name doesn’t come from user input you don’t have a problem.

User contributions licensed under: CC BY-SA
1 People found this is helpful
Advertisement