current position:Home>3-11xss htmlspecialchars bypass demo

3-11xss htmlspecialchars bypass demo

2022-04-29 11:43:30Mountain Rabbit 1

Our article , The way php A method used more in it , That's it htmlspecialchars() function

xss One of the key precautions , When we output , To escape the front-end entity

XSS Bypass - About htmlspecialchars() function

htmlspecialchars() Function to convert predefined characters to HTML Entity .

The predefined characters are :

 & ( And no. ) Become  &amp
 " ( Double quotes ) Become  &quot
 ' ( Single quotation marks ) Become  &#039
 < ( Less than ) Become  &lt
 > ( Greater than ) Become  &gt

Available quote types :

ENT_COMPAT - Default . Code double quotes only .

ENT_QUOTES - Code double and single quotes .

ENT_NOQUOTES - No quotation marks are encoded .


By default , Single quotes are not encoded , Because single quotes are not html Inside the front-end entity , A standard code , So , He won't handle single quotes , When our output point is special , Although we used htmlspecialchars() Handle , But there may still be xss Loophole

When repairing , If it is php Language , It involves such a method , Or other languages , We must find out , Whether this method is comprehensive enough , We choose ENT_QUOTES

Case presentation

Let's switch to xss And htmlspecialchars Inside the project , Or according to our previous conventional thinking ,


 Insert picture description here

Let's take a look at the source code

 Insert picture description here

We can see that the output point is in our ,a Labeled href Inside , We see a lot of... Here html Symbol of entity , in other words htmlspecialchars Will encode our relevant content , We can use double quotation marks , Left and right angle brackets ,& Are coded , Single quotation marks are not processed , This place uses the default htmlspecialchars To do back-end filtering , This is the time , We can construct a payload To filter ,

q' onclick='alert(111)'

Close the single quotation mark , Go back and lose one onclick, This onclick Can be executed , Because this single quotation mark is not processed , It is still a valid single quotation mark

 Insert picture description here

We onclick once

 Insert picture description here

This is an input to its back-end processing , We can look at the back-end code

 Insert picture description here

It will process the accessed data , adopt htmlspecialchars Do the processing , After that , It's in a The label outputs ,


It uses the default method in this place , It does not specify a pair of single and double quotation marks after , We'll deal with everything , So , This is the problem

copyright notice
author[Mountain Rabbit 1],Please bring the original link to reprint, thank you.

Random recommended