-1

I'm using PHP. I'm attempting to prevent some XSS on my page. One test I'm running has this in the url params:

www.mypage.com?error=<script>alert(11170579)</script>&foo=one&bar=two

The errorr=... param is not coming from a form input. It's just inserted into the url.

How can I use Javascript to escape/decode the tags so the alert() does not execute? I did find a couple of examples of parsing the param values in the url, but none mentioned how to prevent or change the code so it did not run.

Thanks for any help.

John Cowan
  • 1,452
  • 5
  • 25
  • 39
  • 2
    I find OWASP is still a good resource for these topics: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet Be explicit, trust no one. – ficuscr May 14 '18 at 16:06
  • 1
    Please consult with a security expert for this rather than random strangers on the internet. It is clear from what you are asking that you don't understand the problem you're attempting to solve sufficiently. – zzzzBov May 14 '18 at 16:06
  • 3
    You're looking at the problem from entirely the wrong angle. The solution is not to *safely* execute the code (by "escaping" undesirable things), the solution is to *not execute user input as code in the first place*. No web browser will, by default, execute JavaScript code typed into the URL like that. *You* are doing that. Don't do it. – David May 14 '18 at 16:07
  • first of all you shall not put script as a parameter... – singe batteur May 14 '18 at 16:07
  • 1
    @singebatteur — How is he supposed to test his defences against XSS without doing that? – Quentin May 14 '18 at 16:09
  • oh yeah just testing my bad – singe batteur May 14 '18 at 16:11

1 Answers1

0

Take a look at PHP's htmlspecialchars function. This seems to be what you want:

<?php
    echo htmlspecialchars($_GET['error']);
?>
Hapstyx
  • 127
  • 7