how is bypass htmlspecialchars for xss

You cannot bypass the character encoding. However, depending on your web app, maybe there is XSS in JS code, or specific DOM-based content that is vulnerable.

The ONLY way to prevent against these attacks is to sanitize and validate input on the server-side instead of, or in addition to, client-side validation. For sanitizing HTML out of input, htmlspecialchars is perfectly adequate unless you WANT to allow certain tags, in which case you can use a library like HTMLPurifier.

Handle it in Server-Side to make secret website / app

(August 26, 2022, 08:58 PM)CUTECAT6996 Wrote: Karakter kodlamasını atlayamazsınız. Ancak, web uygulamanıza bağlı olarak, JS kodunda XSS veya güvenlik açığı olan belirli DOM tabanlı içerik olabilir.

thank you

you could try double url encoding the payload, it would work in theory like this:

send payload  -->  url decoded --> stored --> when accessed again from a another app it would be decoded the second time

for example:register a username that is double encoded, the server decodes it the first time when sending the payload, it is stored and when someone visits your profile the payload is decoded the second time triggering it

(September 3, 2022, 05:13 AM)wideeyeveeti Wrote: you could try double url encoding the payload, it would work in theory like this:

send payload  -->  url decoded --> stored --> when accessed again from a another app it would be decoded the second time

for example:register a username that is double encoded, the server decodes it the first time when sending the payload, it is stored and when someone visits your profile the payload is decoded the second time triggering it

interesting, i will try this, thank you

when it comes to xss i recommend examples from owasp: https://owasp.org/www-community/attacks/xss/