Addslashes safe to protect against xss in array?

J

jujuu

New Member
Came across some code today that had a javascript array, made in php, using only php's addslashes() to sanitize. At first I thought this was an easy XSS vulnerability, but I haven't been able to see it's flaw. Here's an example of what I'm talking about:foo.php\[code\]$itemList = "[";foreach ($array as $item) { $itemList .= "'".addslashes($item)."',";}$itemList = "'']";\[/code\]bar.html\[code\]<script> var a = <?php echo $itemList; ?></script>\[/code\]Obviously something like \[code\]']; alert("xss"); b=['\[/code\] won't be effective because it will be turned into \[code\]\']; alert(\"xss\"); b=[\'\[/code\]. So is this really safe, and my code smell is non-existent?``Edit:Can someone show me how this doesn't work? I know that this is not best practice, and would not use this in my code, but if I want to rewrite the code I need proof to convince others
 
You must log in or register to reply here.
Back
Top