Is addslashes() safe to prevent XSS in a HTML attribute?

It is highly ineffective. Is this vulnerable to XSS?Yes. Is there any way javascript can run in a value attribute like it can in an src attribute for example, src='javascript:alert(99)'.

No Or can the value attribute be broken out of and then script tags can be inserted? The data just has to include a " and the attribute is broken out of. Use htmlspecialchars when you want to insert an arbitrary string into an attribute value.

Using a double or single quote isn't breaking out, it is simply escaped. Is it really vulnerable to XSS? – MrCode Dec 2 '11 at 8:57 @user995579 — It isn't escaped.It just has a slash before it.

That has no more significance then putting a d before it in HTML. – Quentin Dec 2 '11 at 8:58 Yes it puts a slash before it. This is keeping all user input within the value attribute and so I don't think it can be broken out of.

– MrCode Dec 2 '11 at 9:04 2 @user995579 — No! It doesn't! A slash is not an escape character in HTML!

– Quentin Dec 2 '11 at 9:05 My XSS attack skills aren't up to putting together a real test case at this time of the morning, but this jsfiddle demonstrates that a slash is not an HTML escape character. – Quentin Dec 2 '11 at 9:08.

Addslashes() is not appropriate for this task. Use htmlspecialchars() or htmlentities() instead, eg.

I cant really gove you an answer,but what I can give you is a way to a solution, that is you have to find the anglde that you relate to or peaks your interest. A good paper is one that people get drawn into because it reaches them ln some way.As for me WW11 to me, I think of the holocaust and the effect it had on the survivors, their families and those who stood by and did nothing until it was too late.