How to prevent an image in URL loading on the page

I am trying to secure our pages from what I believe are XSS attacks, and I have an example below.

Im not sure how to handle it, as ?Category=All Inclusive is correct its just the rest of it

http://dev.mysite.com/category-Result.php?Category=All Inclusive">Te<img src="https://i.ytimg.com/vi/V08WRasGLG8/hqdefault.jpg"/>st

I’m wondering if I need to try and detect if there something bad going on in the url and if so stop the page loading or take the user somewhere else, as its obviously deliberate and trying to embarrass the website owner.

But not sure how to look at the url and do the test, if all good carry on loading the page, if not move to an error page perhaps

Is that how the URL is coded on your webpage?

Hi Rubble,

No this is me deliberately doing this, to stop it happening in the future.

Normally its just

http://dev.mysite.com/category-Result.php?Category=All Inclusive

You need to escape the value of Category so for example " becomes &quot. That way any garbage in the URL will just be displayed as text and not interpreted as HTML.

In PHP you would use the html_entities function that. Other languages probably have something similar.

Ok I have just tried this in php and it didnt stop the image showing

function test_input($data) {
  $data = trim($data);
  $data = stripslashes($data);
  $data = htmlspecialchars($data);
  $data = htmlentities($data);
  return $data;
}

$selectCategory	= test_input(@$_GET['Category']);

That is very weird. Can you show the code that displays the value?

Its popping up inside the form

<form name="form1" id="myForm">
<input type="hidden" name="Category" value="All Inclusive">Te<img src="https://i.ytimg.com/vi/V08WRasGLG8/hqdefault.jpg" />st" />
</form>

Can you show the php code for that form?

It could be this

<?php 
if ($selectCategory=="All Inclusive") {  
$aInclusive = $pdo->prepare("SELECT DISTINCT(Id_Cntry), Nom_Cntry FROM tbl_countries LEFT JOIN tbl_hotels ON (tbl_countries.Id_Cntry=tbl_hotels.IdCntry_Hot) LEFT JOIN tbl_hotntem ON (tbl_hotels.Id_Hot=tbl_hotntem.Id_Hot) LEFT JOIN tbl_tematics ON (tbl_hotntem.Id_Tem=tbl_tematics.Id_Tem) WHERE (tbl_hotels.Act_Hot='1') AND (tbl_tematics.Id_Tem='7') ORDER BY tbl_countries.Nom_Cntry");
$aInclusive->execute();
 
while ($q = $aInclusive->fetch()){ ?> 
<input type="checkbox" name="countries[]" value="<?php echo $q['Id_Cntry']?>" onClick="javascript:checkRefresh()" <?php if (isset($_REQUEST['countries'])) {if (is_array($_REQUEST['countries'])) echo (in_array($q['Id_Cntry'], $_REQUEST['countries'])) ? 'checked="checked"' : ''; } ?> class="inline" /><?php echo $q['Nom_Cntry']?>&nbsp;<?php

$query1 = $pdo->prepare("select count(tbl_hotels.Id_Hot) as total1 FROM tbl_hotels LEFT JOIN tbl_countries ON (tbl_countries.Id_Cntry=tbl_hotels.IdCntry_Hot) LEFT JOIN tbl_hotntem ON (tbl_hotels.Id_Hot=tbl_hotntem.Id_Hot) LEFT JOIN tbl_tematics ON (tbl_hotntem.Id_Tem=tbl_tematics.Id_Tem) WHERE (tbl_hotels.Act_Hot='1') AND (tbl_tematics.Id_Tem='7') AND (tbl_countries.Id_Cntry=:countryIDa) ORDER by tbl_hotels.Id_Hot");

$query1->bindParam(":countryIDa", $q['Id_Cntry']);
$query1->execute();

while ($result1 = $query1->fetch()) {
 $cfamHotels = $result1['total1']; 
} ?>
<span class="result_Number_Count">[<?php echo $cfamHotels;?>]</span>
<br/>
<?php } } ?>

Or actually it looks like its coming out here

<?php if (isset($_GET['Category'])) { ?>
 <input type="hidden" name="Category" value="<?php echo $_GET['Category'];?>" />
<?php } ?>

And yes so its the echo out of echo $_GET[‘Category’];

ye thats it, I just did this:

<input type="hidden" name="Category" value="<?php echo test_input($_GET['Category']);?>" />

And the pic doesn’t show. Does that make sense to you ScallioXTX, sorry I missed it right down there at the bottom

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.