├── README.md
└── htmlspecialchars - htmlentities
    ├── README.md
    └── XSS.png


/README.md:
--------------------------------------------------------------------------------
1 | # XSS Bypass
2 | [Bypass htmlspecialchars & htmlentities ](https://github.com/X-Vector/XSS_Bypass/blob/master/htmlspecialchars%20-%20htmlentities/README.md)
3 | 


--------------------------------------------------------------------------------
/htmlspecialchars - htmlentities/README.md:
--------------------------------------------------------------------------------
 1 | # Bypassing htmlentities & htmlspecialchars
 2 | It is well understood that `htmlentities()` and `htmlspecialchars()` are functions designed to mitigate XSS vulnerabilities.
 3 | Upon writing the following code, I observed how these functions prevented XSS:
 4 | 
 5 | ```php
 6 | <?php
 7 | $a = "!@#$%^&*()}{\'\"|?><`~}";
 8 | echo "htmlentities : ".htmlentities($a)."<br>";
 9 | echo "htmlspecialchars : ".htmlspecialchars($a);
10 | ?>
11 | ```
12 | The resulting output was:
13 | ```php
14 | htmlentities : !@#$%^&amp;*()}{\'&quot;|?&gt;&lt;`~}
15 | htmlspecialchars : !@#$%^&amp;*()}{\'&quot;|?&gt;&lt;`~}
16 | ```
17 | 
18 | It's evident that both functions replace `><"&` with their corresponding entity names, while the character `'\` remains unchanged. This implies that using `htmlentities` or `htmlspecialchars` alone may not fully protect against XSS vulnerabilities.
19 | 
20 | Now, let's examine the vulnerability by utilizing the following payload: `'onerror='alert("XSS")''` with the developer's code.
21 | ![XSS](https://github.com/X-Vector/XSS_Bypass/blob/master/htmlspecialchars%20-%20htmlentities/XSS.png?raw=true)
22 | 
23 | As demonstrated, it's feasible to bypass these functions by using single quotation marks in the code.
24 | ## How to Prevent XSS:
25 | To effectively prevent XSS and ensure security, it's recommended to replace `'` with `&apos;`, remove `\`, and utilize both functions.
26 | You can employ the following straightforward code to prevent XSS:
27 | ```php
28 | function check($str)
29 | {
30 |   $str = preg_replace('#\'#','&apos;',$str);    // Replace [ ' ] with [ &apos; ]
31 |   $str = preg_replace('#\\#','',$str);   // Remove [ / ]
32 |   $str = htmlspecialchars($str); // or $str = htmlentities($str);
33 |   return $str;
34 | }
35 | ```
36 | Alternatively, you can filter your input using:
37 | ```php
38 | // Using htmlentities
39 | $value = htmlentities($_GET['src'], ENT_QUOTES);
40 | 
41 | // Using htmlspecialchars
42 | $value = htmlspecialchars($_GET['src'], ENT_QUOTES);
43 | ```
44 | 
45 | 
46 | 


--------------------------------------------------------------------------------
/htmlspecialchars - htmlentities/XSS.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/X-Vector/XSS_Bypass/231b0766797655f25f3f2d029a4dfd3a442f8061/htmlspecialchars - htmlentities/XSS.png


--------------------------------------------------------------------------------