current community

your communities

more stack exchange communities

Stack Exchange
tour help
careers 2.0
Take the 2-minute tour ×
Stack Overflow is a question and answer site for professional and enthusiast programmers. It's 100% free, no registration required.
up vote 5 down vote favorite

Is this 100% safe against XSS? If not, can you please provide example bad string text showing me why it is not.

<html>
  <body>
    <script>
      <?php
        $bad = "some bad string.  please give example text that makes the below unsafe";
        echo "var a = ".json_encode($bad).";";
        echo "var b = ".json_encode(array($bad)).";";
      ?>
    </script>
  </body>
</html>

Thanks.
share|improve this question
2  
That kinda depends on what you eventually do with a doesn't it? –  chustar May 6 '11 at 15:24
    
Where is $bad actually coming from? Not that it matters since json_encode only creates valid JSON, which is "non-executable". –  Kevin Peno May 6 '11 at 15:25
    
@kevin, json_encode creates valid json –  Neal May 6 '11 at 15:26
    
@Neal, thanks for the correction. –  Kevin Peno May 6 '11 at 15:27
    
I'm mainly concerned about $bad containing javascript that is somehow executed. Based on Lekensteyn's answer below, it seems that this is impossible and so it is safe. But if anyone can show me otherwise it would certainly be a shock to my system! –  user324289 May 6 '11 at 15:34

1 Answer 1

up vote 4 down vote accepted

In short, it's safe. Possible XSS would require escaping from the javascript string (") or script (</script>). Both strings are properly escaped:

"          becomes  \"
</script>  becomes  <\/script>

This is the the part about direct injection. Your application should take in account that some array elements may be missing. Another possibility is that an array element is not the type you would expect (e.g., an array instead of a string)

share|improve this answer

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.