Circumventing htmlspecialchars(addslashes(input)) for HTML/JavaScript injection

Question

Assume some PHP code which echoes an input sanitized by first applying addslashes() and then htmlspecialchars() to an HTML document. I have heard that this is an unsafe approach, but cannot figure out why.

Any suggestions as to what sort of formatting could be applied to a dangerous input, such as JavaScript in script tags, to bypass the security measures imposed by the two functions would be appreciated.

Answer 1

addslashes is irrelevant to XSS (and there is almost always something better in places where it is actually useful).

htmlspecialchars is not an unsafe approach. It is just insufficient by itself.

htmlspecialchars will protect you if you put the content as the body of a "safe" element.

It will protect you if you put the content as the value of a "safe" attribute if you also properly quote the value.

It won't protect you if you put it as the value of an "unsafe" attribute or element (where the content may be treated as JavaScript) such as <script>, onmoseover, href or style.

---

For example:

<!-- http://example.com/my.php?message=", steal_your_cookies(), " -->
<!-- URL not encoded for clarity. Imagine the definition of steel_your_cookies was there too -->

<button onclick='alert("<?php echo htmlspecialchars($_GET['message']); ?>")'>
   click me
</button>

will give you:

<button onclick='alert("&quot;, steal_your_cookies(), &quot;")'>
   click me
</button>

which means the same as:

<button onclick='alert("", steal_your_cookies(), "")'>
   click me
</button>

which will steal your cookies when you click the button.