fohanlon Posted July 22, 2009 Share Posted July 22, 2009 Hi Guys I have only realised that it is possible to injection javascript <script> tags in form fields. I read that htmlspecialchars will solve this by encoding < as %lt; etc. However, I cannot get the function to work. Does utf-8 encoding have an effect on the function? Thanks for the help Fergal. Quote Link to comment Share on other sites More sharing options...
Adam Posted July 22, 2009 Share Posted July 22, 2009 No it won't, show us some code... Quote Link to comment Share on other sites More sharing options...
fohanlon Posted July 22, 2009 Author Share Posted July 22, 2009 Hi Just some simply code to test: <?php $new = htmlspecialchars("<a href='test'>Test</a>", ENT_QUOTES); echo $new; ?> and it outputs <a href='test'>Test</a> I thought it would output <a href= .... Thanks Fergal. Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted July 22, 2009 Share Posted July 22, 2009 Do a "view source" in your browser of the output. Quote Link to comment Share on other sites More sharing options...
Adam Posted July 22, 2009 Share Posted July 22, 2009 If you look at the source they'll be in their entity form, the browser converts them. Quote Link to comment Share on other sites More sharing options...
fohanlon Posted July 22, 2009 Author Share Posted July 22, 2009 Looked at the csource and yes it is in entity form. I was trying to ensure that if a user enters something like <script>alert("test")</script> in a form field that on submission of the form the alert box will not work. The form will not write anything to a database, variables are jsut gathered and emailed in the mail function. Am I right using htmlspecialchars. I have spent hours reading forums etc and am confused. Thanks, Fergal. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.