A few security relations related to the interplay between PHP, JSON, JS, and Jquery

I am wondering if there are any potential security holes when running these PHP and JS functions. The array of harmful things contains things submitted by a user.

The obvious thing is < script > might get through, but I could be overlooking other security issues.

Here’s the PHP side:

$arrayOfHarmfulThings = ['an array of potentially harmful things', 'harmful_thing_2'];

$sanitizedThings = []; // create array of sanitized things to hold the output from the loop

// sanitize each user input
foreach ($arrayOfHarmfulThings as $harmfulThing) {

	$sanitizedThings[] = htmlentities($harmfulThing, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8');
}


// json encode for server response
$jsonEncodedArray = json_encode($sanitizedThings);

Now for the JS side, assuming I have already captured the json into a variable:

var json; // holds the json returned from the server

json = JSON.parse(json)

for (key in json) {

 $('#div').append(json[key]);
}

Am I looking at any security concerns here? From testing, without using htmlentities, a user input of “< script >” was embedded in the html but was escaped with it. I am worried that the json encoder might unencode or unescape something important, or perhaps JSON.parse might. Should I be concerned? Do I need to do more than this?

htmlentities doesn’t sanitise anything - it just destroys data for any use other than outputting as HTML - you should only ever use ut when echoing outpput into HTML.

Use the PHP sanitiising filters for sanitising input.

You should also look into using CSP headers to prevent any inline CSS and JavaScript from being allowed - that will block many client side injection techniques.

You are right that htmlentities doesn’t sanitize except to encode things for display in html, but I mean to echo the user input in the html. (I’m not putting this user input into a database, I should have said that.)

Is there another specific PHP sanitizing filter you could recommended here? A use case would be a simple program that asks, “What is your name?” and then appends it to the page with jquery using the code path specified above. Before I added htmlentities, < script > would have gotten through, so I am trying to secure the entire code path, but I don’t have a lot of security knowledge.

I didn’t know about CSP headers so I have a lot of reading to do there. Thanks for pointing it out to me.

(In all my posts < script > without the spaces prevents the rest of the text from loading, so consider it without the spaces.)

It can be useful to figure out just what you are trying to protect. If you are trying to protect the user from themself, then that cannot be done other than with judicious use of an undo feature.

If instead you are trying to protect the server-side from effects of the user, that can be an easier approach to take.

The final challenge is protecting a user from the impact of other users, which is the most difficult one to resolve but is reliably dealt with by the use of what has already been mentioned here.

I am trying to protect a user from the impact of other users. To extend the example, a user’s name could be placed in the html shown to another user. This might contain malicious code of some kind I can’t anticipate due to a lack of security knowledge.

Is dealing with this a matter of the CSP headers @felgall mentioned or is there some additional sanitization needed?

[quote=“Torite, post:5, topic:231563, full:true”]
I am trying to protect a user from the impact of other users. To extend the example, a user’s name could be placed in the html shown to another user. This might contain malicious code of some kind I can’t anticipate due to a lack of security knowledge.[/quote]

That’s something that people in the PHP forum can better advise you with.

This Content Security Policy headers article is a good place to gain lots of good detail in regard to that, and are settings that are also applied on the server side.

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.