fohanlon Posted July 22, 2009 Share Posted July 22, 2009 Hi Guys I have only realised that it is possible to injection javascript <script> tags in form fields. I read that htmlspecialchars will solve this by encoding < as %lt; etc. However, I cannot get the function to work. Does utf-8 encoding have an effect on the function? Thanks for the help Fergal. Link to comment https://forums.phpfreaks.com/topic/167045-htmlspecialchars-and-javascript-injection/ Share on other sites More sharing options...
Adam Posted July 22, 2009 Share Posted July 22, 2009 No it won't, show us some code... Link to comment https://forums.phpfreaks.com/topic/167045-htmlspecialchars-and-javascript-injection/#findComment-880769 Share on other sites More sharing options...
fohanlon Posted July 22, 2009 Author Share Posted July 22, 2009 Hi Just some simply code to test: <?php $new = htmlspecialchars("<a href='test'>Test</a>", ENT_QUOTES); echo $new; ?> and it outputs <a href='test'>Test</a> I thought it would output <a href= .... Thanks Fergal. Link to comment https://forums.phpfreaks.com/topic/167045-htmlspecialchars-and-javascript-injection/#findComment-880771 Share on other sites More sharing options...
PFMaBiSmAd Posted July 22, 2009 Share Posted July 22, 2009 Do a "view source" in your browser of the output. Link to comment https://forums.phpfreaks.com/topic/167045-htmlspecialchars-and-javascript-injection/#findComment-880772 Share on other sites More sharing options...
Adam Posted July 22, 2009 Share Posted July 22, 2009 If you look at the source they'll be in their entity form, the browser converts them. Link to comment https://forums.phpfreaks.com/topic/167045-htmlspecialchars-and-javascript-injection/#findComment-880777 Share on other sites More sharing options...
fohanlon Posted July 22, 2009 Author Share Posted July 22, 2009 Looked at the csource and yes it is in entity form. I was trying to ensure that if a user enters something like <script>alert("test")</script> in a form field that on submission of the form the alert box will not work. The form will not write anything to a database, variables are jsut gathered and emailed in the mail function. Am I right using htmlspecialchars. I have spent hours reading forums etc and am confused. Thanks, Fergal. Link to comment https://forums.phpfreaks.com/topic/167045-htmlspecialchars-and-javascript-injection/#findComment-880782 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.