escaping outputs

[ibolui]

hi, i just read that for security purposes, i should escaped my $output before echoing the values. and the method is to use htmlentities.

 

however if the $output is a html text, for example, $output = "A 'quote' is <b>bold</b>";

and i wish to retain the < b > instead of becoming <b>

what should i do?

 

if i am to echo ANY unescaped output to a flash app frontend, will there be security issues  ???

[aschk]

What you need is token replacement, and believe me it's not an easy task

In essence you need to filter out the tags you require to start with and replace them with tokens (e.g. %BOLD%). It is a string to represent where you want bold tags. You then escape (htmlentities) your output, and then replace your tokens with their real string counterparts.

 

At least this is the way I do it... others may have better suggestions.

[ibolui]

but the $input is text from a richtextarea, which i think will be too much to token replace..

 

before i insert into database, i had mysql_real_escaped_string($input). for some reason because i need to echo out the exact $input to a flash app, can i just echo out $input exactly as it is, without using htmlentities or other escaping functions?

[aschk]

You can, BUT you're allowing security holes in your application by not escaping the output...

[discomatt]

They're only security holes if you allow untrusted people to enter data that will later be poutputted. This is common in forums and comment systems.

 

Your best bet is to get a WYSIWYG/Rich Text that is already based on 'BBCode', and simply use a PHP BBCode parser. Plenty on google.