FunkyELF Posted October 12, 2006 Share Posted October 12, 2006 Hi guys, this is my first post on here so don't hate on me.I'm brand new to PHP and the only HTML I have done was static stuff 7 or 8 years ago.With that being said...I came across a site showing how to highlight PHP using PHP. What I really want is for any request for a .phps file (which doesn't exist) to pass the coresponding .php file though the highlighter...but I'll save that for another post.What I came across was the following code which I put in my htdocs directory....highlight.php:[code]<?phpif (!empty($_POST['text'])){ echo '<div style="border: solid 1px orange; padding: 20px; margin: 20px">'; highlight_string($_POST['text']); echo '</div>';}?><form action="<?php echo $_SERVER['PHP_SELF']?>" method="post"> <textarea name="text" style="width: 100%; height: 500px"><?php echo @$_POST['text']; ?></textarea> <br /> <input type="submit" value="Highlight" /></form>[/code]So I try it out and it works pretty well. Then I decide to have it parse itself and I copy the entire file into the field and press "highlight" and what I get at the bottom was two "highlight" buttons.Now, if I go and paste the following in there, I get 4 buttons saying "Should" "These" "Be" and "Here?" above the "highlight" button.[code]<?phpif (!empty($_POST['text'])){ echo '<div style="border: solid 1px orange; padding: 20px; margin: 20px">'; highlight_string($_POST['text']); echo '</div>';}?><form action="<?php echo $_SERVER['PHP_SELF']?>" method="post"> <textarea name="text" style="width: 100%; height: 500px"><?php echo @$_POST['text']; ?></textarea> <br /> <input type="submit" value="Should" /> <input type="submit" value="these" /> <input type="submit" value="be" /> <input type="submit" value="here?" /></form>[/code]Its not that it contains non PHP stuff is it?...If I paste the following it works fine and I see <H1>Where am I?</H1> inside the orage rectangle where it should be but if I put <H1>Where am I?</H1> under those <input> buttons in the above example, the text "Where am I?" gets rendered as a heading.[code]<?php echo "Will the following be inside or outside the orage box?<br/>";?><H1>Where am I?</H1>[/code]Somewhere in there it seems like it is getting out of the highlight_string function and the remainder gets dumped and rendered by the browser. Is this bad for security since anything could get displayed by the browser? What is the worst thing that could happen?... a javascript redirect? Obviously if you're reading this, whoever wrote this forum software did their syntax highlighting the right way otherwise you'd be seeing my input buttons on this page.Thanks in advance,~Eric Quote Link to comment Share on other sites More sharing options...
btherl Posted October 13, 2006 Share Posted October 13, 2006 http://sg.php.net/manual/en/function.htmlspecialchars.php will probably do it. That will escape the HTML so it doesn't escape the textarea.Edit: Er.. I mean, so it doesn't "get out of" the textarea. Bad choice of words :) Quote Link to comment Share on other sites More sharing options...
FunkyELF Posted October 13, 2006 Author Share Posted October 13, 2006 [quote author=btherl link=topic=111338.msg451249#msg451249 date=1160720925]http://sg.php.net/manual/en/function.htmlspecialchars.php will probably do it.[/quote]Nope. Did you try it?Besides still placing the buttons there and allowing anything I want to get rendered by the browser, the stuff that actually stayed in the orange box wasn't highlighted at all ! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.