Jump to content

htmlentities not for the same user


freelance84
 Share

Recommended Posts

Think i've got my self a little confused here.

 

htmlentities 

 

This function is designed to try and keep clients safe.

 

If the comment the user inputs can only ever be seen by him or her, then in theory is there no need to use htmlentities as any dodgy script would only affect them.

 

Is this correct thinking?

Link to comment
Share on other sites

What if you are using a simple template system or some other not so well thought out CMS script on your site that uses eval (either with or with out your knowledge) and the comment that the user enters contains some php code, so, when it is processed when it is displayed it just ran the hackers php code on your server.

 

It is unlikely that you have a system where only the visitor could view what he posted. What about if an administrator or owner to your site, such as you, views the posted information? That's exactly who a hacker would like to get the cookie values for.

Link to comment
Share on other sites

Yea I am trying to proceed with this ethos, I was just wondering. I mean if the input is only ever seen by the user who inputs it... if they input some dodgy js surely it's only funny that it would affect them?

 

What did you mean with

Even your keyboard ones in a while ::)
?

 

hehe I meant nothing offensive, but i just read an article that shoppingcarts and keyboards are the most unhygienic objects on earth.

Link to comment
Share on other sites

Here's another use of XSS.

 

Someone makes a link to your site that contains javascrpt to send him the cookie values of that visitor for your site. If this person can get a visitor to click on that link (perhaps on a phishing site that looks like it is your site or in an email that looks like it came from your site) and the code on your site outputs that javascript back to the visitor (either directly by echoing the URL in a form action="" attribute or by accepting that HTTP request as a comment being posted by that visitor - $_REQUEST really is a bad idea), someone just got the cookie values for that visitor for your site.

Link to comment
Share on other sites

I use htmlentities to make content safe for display in form fields; for instance, if input includes greater-than or less-than characters, or if the content includes single-quotes and the field value is enclosed in single quotes (or vice-versa with double-quotes). If you don't clean up these "entities" with htmlentities, the form can fall apart visually and/or programatically.

Link to comment
Share on other sites

fortnox007: 

Haha! I see  :)  I thought you might be talking about something to do with HTML 5 or something  ::)

 

PFMaBiSmAd:

Those are two pretty good reasons! Thanks a lot  :D

(for this site in question the user inputs text that only he or she will read in the future, site admin.. will never read it. Although i suppose future development may result in admin or different users seeing other users input.)

 

<table>

 

Link to comment
Share on other sites

So what if you want the user to be able to use > or  < or quotes. How do you get them into the html without any risk. Surely the decode version of htmlentities (html_entity_decode) would just print the dangerous script?

 

 

Well you could use a form of bbcode. where instead of allowing <b>  </b>

you allow only

[b]  [/b]

and when you out put the form you convert

[b] [/b]

to <b>  </b>

That way you can add a save list of tags you want them to be able to use.

 

I bet you need preg_replace() for this.

Link to comment
Share on other sites

Hmm, ok. But how am i able to print here on this thread > or < or " '". Shouldn't htmlentities be removing them? Or does it just remove actual html tags?

 

popup message js:

<script language="JavaScript" type="text/javascript">alert("does this popup?")</script>

 

The above js popup message isn't popping up here but the page has printed it directly into the thread...

 

 

Also it's not even in the source?

 

Is there another way... does this page have a seperate js which handles stuff like this?

Link to comment
Share on other sites

Hmm, ok. But how am i able to print here on this thread > or < or " '". Shouldn't htmlentities be removing them? Or does it just remove actual html tags?

 

popup message js:

<script language="JavaScript" type="text/javascript">alert("does this popup?")</script>

 

The above js popup message isn't popping up here but the page has printed it directly into the thread...

 

 

Also it's not even in the source?

 

Is there another way... does this page have a seperate js which handles stuff like this?

htmlentities doesn't remove them it converts them in to other characters. If you look in the source of this page your text is show as:

Hmm, ok. But how am i able to print here on this thread > or < or " '". Shouldn't htmlentities be removing them? Or does it just remove actual html tags?

  See the special characters?

Link to comment
Share on other sites

ahhhhhh, pennies dropped.

 

Thanks a lot! Very much appreciated.

 

(i just did a search in the source earlier for the tags which of course returned nothing. Of course i forgot the link that was the browsers print special characters differently! Pretty dumb as i use them all the time!)

Link to comment
Share on other sites

ahhhhhh, pennies dropped.

 

Thanks a lot! Very much appreciated.

 

(i just did a search in the source earlier for the tags which of course returned nothing. Of course i forgot the link that was the browsers print special characters differently! Pretty dumb as i use them all the time!)

Hehe,  I found this out last week, a hilarious topic by myself that htmlentities was not working, and nobody understood what the f** i was talking about. Glad i could be of service ::)

Link to comment
Share on other sites

This thread is more than a year old.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.