IchBin Posted June 23, 2011 Share Posted June 23, 2011 I have a script that I'm creating which allows users to submit news articles. I realize the caveats of allowing users to input such data, but the couple users who I allow to post I trust. These two like to design in their own apps which use some type of wysiwig to create their HTML layout. What I don't know as a coder, is the proper method of doing my best to sanitize this data. I don't really want to try and include some library that does all of this stuff. I'd like just a run down on how it could be done with my own coding. I've done a few searches, but I'm not sure I know the right search terms to get what I'm looking for. If you have any links to other topics, that would be great. Should all the HTML characters be converted to entities? Is it necessary? That would mean I'd have to decode the HTML for display. Do I gain any security from having to do that? It doesn't sound like it to me. Should I use addslashes()? Of course mysql_real_escape_string() would be used on the query to insert. But I'm thinking I need to do more with the data before it gets inserted. Basic steps to protect myself is all I'm looking for. Thanks for any input. --edit-- Sorry, posted in installation. Would a mod please move me to the PHP code board... Quote Link to comment https://forums.phpfreaks.com/topic/240240-properly-sanitize-html-input/ Share on other sites More sharing options...
micah1701 Posted June 23, 2011 Share Posted June 23, 2011 I'd say look in to using the strip_tags() functions: http://php.net/manual/en/function.strip-tags.php on its own, it removes ALL html, but you can also specify which tags you want to allow, such as <p>,<strong>,<em>,<a> ect... then yes, use mysql_real_escape_string() when you insert it into the database Quote Link to comment https://forums.phpfreaks.com/topic/240240-properly-sanitize-html-input/#findComment-1234049 Share on other sites More sharing options...
IchBin Posted June 25, 2011 Author Share Posted June 25, 2011 That's just it, I don't really want to strip any tags. I want to allow these two people to post any html they want. I just want to make sure I am able to protect my server as much as possible. I'm guessing as long as I lock it down to them and make sure I do the appropriate escaping/cleaning before putting it into the database, that might be all I can do. Quote Link to comment https://forums.phpfreaks.com/topic/240240-properly-sanitize-html-input/#findComment-1234722 Share on other sites More sharing options...
mikesta707 Posted June 25, 2011 Share Posted June 25, 2011 If you aren't worried about your users injecting harmful HTML into the news articles, than sanitizing isn't really a problem. html entities/decode might be good so you don't have to deal with quotes when inserting into the database (it turns quotes into entities also), but either way would be ok. One could argue that if you trust your users enough not to put harmful html into the news articles, you could trust them enough not to attempt to insert SQL injections. Personally, I would strip all HTML tags and use a BBC code type system, but I don't trust anyone Quote Link to comment https://forums.phpfreaks.com/topic/240240-properly-sanitize-html-input/#findComment-1234733 Share on other sites More sharing options...
xyph Posted June 25, 2011 Share Posted June 25, 2011 BBCode is the way to go. At the very least, remove any script, iframe, etc tags that allow outside information to be loaded into your site. Quote Link to comment https://forums.phpfreaks.com/topic/240240-properly-sanitize-html-input/#findComment-1234763 Share on other sites More sharing options...
mikesta707 Posted June 25, 2011 Share Posted June 25, 2011 BBCode is the way to go. At the very least, remove any script, iframe, etc tags that allow outside information to be loaded into your site. In addition to this, also remember that people can use onXxx attributes (like onClick, onFocus, etc.) to insert javascript into your page. OnClick events may not seem very dangerous, but an event like onLoad with some javascript that did some bad stuff could potentially be devastating. However, this assumes that you do not trust the user inputting data. Simply stripping the tags that xyph suggested may very well suffice since you mentioned you trust the user input to a point Quote Link to comment https://forums.phpfreaks.com/topic/240240-properly-sanitize-html-input/#findComment-1234772 Share on other sites More sharing options...
IchBin Posted June 29, 2011 Author Share Posted June 29, 2011 Ok, thanks for the input gentlement. I'll go ahead and mark this solved. Just wanted to make sure there wasn't something I was missing. Quote Link to comment https://forums.phpfreaks.com/topic/240240-properly-sanitize-html-input/#findComment-1236478 Share on other sites More sharing options...
xyph Posted June 29, 2011 Share Posted June 29, 2011 Don't trust anyone. Use flexible bbcodes. Even the style attribute can be used for XSS attacks. If you allow font options, paragraphs, tables, lists, images with alignment, possibly youtube or swf embeds (though swf embeds can be dangerous) - what else do you need? Quote Link to comment https://forums.phpfreaks.com/topic/240240-properly-sanitize-html-input/#findComment-1236485 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.