xsscode-injectionhtmlspecialcharshtml-injections

Cross Site Scripting Array Multiple Results


Hello lovely people of StackOverflow,

I built an application to store movies, so i can search for them at a later time. All is working but i'm trying to prevent XSS, I've looked at W3School htmlspecialchars, but the problem i'm running into is that i'm returning multiple fields results such a s"keywords" " category" "Date Saved" "Website".

I can prevent XSS on only one field but then the rest of the fields don't return any data.

Here is the code that echo's the data from the database:

    echo "<tr align='center' bgcolor='#0f7ea3'> 
    <td height='25px'>"
    .$results['Website']."</td>
    <td>".$results['Keywords']."</td>
    <td>".$results['Category']."</td> 
    <td>".$results['Date Saved']."</td>
    <td> <a href='" . $results['Website'] . "'>Click To Access Your Link</a></td>
    </tr>" ;

Hopefully I've explained my issue correctly.

Thanks


Solution

  • This is an update to the suggestion provided by "nobody"

    The code provided was accurate except with the "." placement. Other than that, the code worked perfect.

    Suggested:

    <td>"htmlspecialchars(.$results['Date Saved'], ENT_QUOTES)."</td>

    Correct Code:

    <td>".htmlspecialchars($results['Date Saved'], ENT_QUOTES)."</td>

    Complete Working Code:

     echo "<tr align='center' bgcolor='#0f7ea3'> 
        <td height='25px'>"
        .htmlspecialchars($results['Website'], ENT_QUOTES)."</td>
        <td>".htmlspecialchars($results['Keywords'], ENT_QUOTES)."</td>
        <td>".htmlspecialchars($results['Category'], ENT_QUOTES)."</td> 
        <td>".htmlspecialchars($results['Date Saved'], ENT_QUOTES)."</td>
        <td> <a href='" . htmlspecialchars($results['Website'], ENT_QUOTES) .       "'>Click To Access Your Link</a></td>
        </tr>" ;
    

    Thank you so much.