XSS attack in title-tag

4
votes

I have a form where users can fill in a news article. This contains a title and body. For each page to have a unique title, I'm using the user input (title) in the <title>-tags:

<title>$userinput</title>

I'm wondering - is it possible for the user to perform an XSS-attack this way? Should I escape this user input using htmlspecialchars?

The same also applies to <meta>-tags. I'm using user input for the description:

<meta name="description" content="$userinput" />

Can a user perform XSS-attacks in <title> and <meta>-tags?

3
phphtmlsecurityxss
As soon as you write unescaped HTML to a webpage, there is a possibility of XSS.zneak
possible duplicate of Should I htmlspecialchar() variables inside <title></title>?mercator

3 Answers

6
votes

Should I escape this user input using htmlspecialchars?

Yes. Location doesn't matter. All user input should be escaped.

References:

3
votes

He could close any tag first:

</title><script> alert('here I am') </script>

0
votes

It is possible to perform an XSS attack that way.

I'd use htmlentities to begin with. Also you might want to consider HTML Purifier. Lastly, you might want to consider PHPIDS. That would be a bit overkill for most situations though...