Hey everyone.
This is a basic question (I think) regarding XSS protection.
I am building a web search engine (sort of like google but that searches not websites but articles in a database).
Just like google, when you search for something, the query is displayed back
at the page in two places (on the page itself and in the search textbox).
Now I had a XSS problem at the start, but I had been able to solve it by
calling the php function htmlspecialchars twice.
$sText = htmlspecialchars($s, ENT_QUOTES);
$sSearch = htmlspecialchars($s, ENT_NOQUOTES);
the $sText is the string displayed in the textbox:
<input name=”s” type=”text” style=”width:40%;” value=”<?php print $sText; ?>” />
-ENT_QUOTES replaces html code AND double quotes (so the user will not
break from the “value” attribute.
and the $sSearch is displayed right on the page:
<?php print $numHits; ?> results were found for: <?php print $sSearch; ?>.
-ENT_NOQUOTES replaces html code but leaves all the quotes intact (I want
ppl to be able to search for text with quotes, so I can’t replace it).
This is all the protection I did, and it works for anything i know of,
But a simple search in google reveals complicated unreadble functions for xss protection, and it’s not just one site.
Am I missing something? does XSS protection needs these complicated functions?
Thanks in advance,
Maor