Posted by Toby A Inkster on 01/24/08 13:40

Erwin Moller wrote:

> Question: If I use htmlentities($orginalString,ENT_QUOTES) everywhere I
> output anything to the browser that originated from userinput, will an
> XSS attack be possible?

Well, you'd still be vulnerable to bugs in htmlentities() itself. For
example, I've not checked how well it copes with overlong forms in Unicode.

For those who don't know what an overlong form is, UTF-8 stores ASCII
characters as 1 byte; accented characters, the Greek alphabet and a few
other small alphabets as 2 bytes; most other characters are 3 bytes; but a
few oddball characters are 4 bytes. However, it's theoretically possible
to store, say, a character that would normally be a 1 byte character as a
2, 3 or even 4 byte character. That way naive string processors looking
for, say, '<' in a string might not be able to find it.

Overlong forms like this are prohibited in the UTF-8 spec, but this
prohibition is often not properly enforced by decoders, and can lead to
vulnerabilities.

--
Toby A Inkster BSc (Hons) ARCS
[Geek of HTML/SQL/Perl/PHP/Python/Apache/Linux]
[OS: Linux 2.6.17.14-mm-desktop-9mdvsmp, up 25 days, 45 min.]

CSS to HTML Compiler
http://tobyinkster.co.uk/blog/2008/01/22/css-compile/

[Back to original message]