About the Author

Chris Shiflett

Hi, I’m Chris: web craftsman, community leader, husband, father, and partner at Fictive Kin.

Google's XSS Vulnerability

The recent cross-site scripting (XSS) vulnerability discovered in Google perfectly illustrates why character encoding matters. This example demonstrates how to use PHP's htmlentities() function with the optional third argument that indicates the character encoding:

$html = array(); 
$html['username'] = htmlentities($clean['username'], 
echo "<p>Welcome back, {$html['username']}.</p>"; 

The example uses UTF-8, so this should be indicated in the Content-Type header:

Content-Type: text/html; charset=UTF-8

Researchers at Watchfire realized that Google does not indicate the character encoding. They also realized that you can visit a URL such as the following to get data that you send returned in the content of the response:


You will see the following:


Your client does not have permission to get URL /url?EVIL from this server.

Google fails to handle malicious attacks that use UTF-7, so all an attacker must do is target a browser that will interpret Google's response as a UTF-7 resource. Because Google does not indicate the character encoding in its Content-Type entity header, this is possible.

Unfortunately for Internet Explorer users (and Google), there is an auto select option for encoding that, if set, will interpret a resource as UTF-7 if it finds a UTF-7 character in the first 4096 bytes. Because Google's response is so small, the danger is clear.

The moral of the story is that you should always ensure character encoding consistency between your escaping function and the remote system to which you're sending data. In other words, specify the character encoding in htmlentities(), use mysql_real_escape_string() (which handles this for you), etc.

Google corrected this flaw earlier this month.

About this post

Google's XSS Vulnerability was posted on Wed, 21 Dec 2005. If you liked it, follow me on Twitter or share:


1.lalala said:

I'm not quite understanding it. Could you post a sample URL here and what exactly happens then?


Wed, 21 Dec 2005 at 17:43:13 GMT Link

2.Chris Shiflett said:

The vulnerability has been fixed, so no, I can't. :-)

Wed, 21 Dec 2005 at 17:53:33 GMT Link

3.Chris Shiflett said:

Here is a helpful PHP function that you can use to convert a string to UTF-7:


Wed, 21 Dec 2005 at 17:56:47 GMT Link

4.Ivo Jansch said:

I don't understand either. To be able to comprehend how this may affect my website, could you explain how this could be exploited, even though you cannot demonstrate it?

Wed, 21 Dec 2005 at 19:53:18 GMT Link

5.Chris Shiflett said:

I explain this more thoroughly here:


Hope that helps. :-)

Wed, 21 Dec 2005 at 20:20:45 GMT Link

6.abc said:


Tue, 24 Jan 2006 at 20:41:42 GMT Link

7.the tester said:

just testing...

Thu, 26 Jan 2006 at 17:12:28 GMT Link

8.the tester said:

another test...

Thu, 26 Jan 2006 at 17:14:36 GMT Link

9.the tester said:

You are vulnerable against XSS as well. Just klick my URL above....

Thu, 26 Jan 2006 at 17:17:45 GMT Link

10.Chris Shiflett said:

I appreciate your persistence and for letting me know, but I think you still have some work to do.

Having the target of your link be javascript:foo isn't much better than asking a user to copy and paste that into the location bar. The user still has a choice in the matter.

In other words, if this is XSS, then an example CSRF attack would be to use something like this as your URL:


Feel free to continue to experiment, and thanks again.

Thu, 26 Jan 2006 at 17:47:41 GMT Link

11.dsingh2 said:

Hi Chris,

I am a newbie and would appreciate if you could explain how you manage to display <script>alert('hi')</script> as such in your output without using encoding.


Mon, 30 Jan 2006 at 04:03:07 GMT Link

12.Chris Shiflett said:

I use htmlentities(), and I indicate UTF-8 as the character encoding to use. This matches what I indicate in my Content-Type header:

Content-Type: text/html; charset=UTF-8

Wed, 12 Apr 2006 at 13:35:38 GMT Link

13.I'm sorry :( said:

<<SCRIPT>window.location = 'http://www.google.com/';//<</SCRIPT>

Thu, 20 Jul 2006 at 01:13:11 GMT Link

14.Justaman said:

¼script¾alert(¢Another Test¢)¼/script¾

Thu, 27 Jul 2006 at 11:20:02 GMT Link

15.watermellon said:

having fun

Fri, 28 Jul 2006 at 20:21:30 GMT Link

16.Webkatalog said:

I am getting this error message, when trying to determine a PR of a site from my remote server. However, it works on another remote server.

"Your client does not have permission to get URL ..."

I am wondering if this has something to do with the PHP installation or similar...



Tue, 31 Oct 2006 at 22:08:52 GMT Link

17.Paul said:

I believe I understand why to use htmlentities() when displaying output back to a Web site, but isn't the only thing that needs to be checked for is a <script> tag? What could you put in a html tag (ie. <h1> or <div>) that could be harm ful?



Sat, 13 Jan 2007 at 17:42:52 GMT Link

18.Chris Shiflett said:

Hi Paul,

There are many XSS examples listed here:


Hope that helps!

Sat, 13 Jan 2007 at 18:20:24 GMT Link

19.brontex said:

allow bro...

i want to ask about XSS Vulnerability, my favorite web site has been inject with this script you can see in this link


how can i fix this problem? please teach me, to mr christ maybe we can talk much in YM my id : adieth_illusion

Tue, 08 May 2007 at 15:11:47 GMT Link

20.Ron said:

Hello Chris, very interesting post. I just wonderd, if you want to bypass UTF-8 encoding, you used in your example at


header('Content-Type: text/html; charset=UTF-7');

What i dont understand is that if you want to included this for the XSS Vulnerability, you have to have access to the php page? or from where that was injected?

thank you very muxh

Thu, 29 Nov 2007 at 17:22:03 GMT Link

21.XSS Tester said:

thanks for your post! ;P XSS is great fun, f.e. here:

this is an example of a .gov domain which links to my site:

my site:


and here the xss site, which is still not fixed:


which is definitely mistaken ;P

Thu, 13 Mar 2008 at 14:55:22 GMT Link

22.Dennis Gearon said:

I would really like to see a 'sequence diagram' for how the google example actually happens. In particular, how UTF7 text sent through 'htmlentities' gets interpreted as JavaScript?

Mon, 01 Sep 2008 at 04:25:38 GMT Link

Hello! What’s your name?

Want to comment? Please connect with Twitter to join the discussion.