Jump to content

Prevent html from "processing" from user submitted field?


Recommended Posts

I'm a noobie at php, so this is probably very simple, but I have a field that allows users to submit a title for a page.

 

Today I discovered someone submitted a title that had "<head><title>" in it, and it broke the site.

 

If my variable is called $_POST['title'] can someone please show me how I would either keep "<head><title>" in the title, but not process it, or remove certain html tags that would cause trouble?

 

If you could give me the actual code I need, that would be very helpful, as a lot of times things mentioned on how to do it is over my head at the moment.

 

 

Thanks for any help you can provide me with.

What you're demonstrating is called XSS and the problem is worse than people just "breaking the site".

 

Write yourself a function that calls htmlentities or htmlspecialchars with the correct set of arguments for your page: passing ENT_QUOTES and whatever character encoding your pages use. Like

function htmlescape($string) {
    return htmlentities($string, ENT_QUOTES, "UTF-8");
}
Then use that every time you output arbitrary user-provided information, like

<?=htmlescape($_POST["title"])?>
If you're wondering about what to do with your database, don't escape the data when it goes in. Only when you're about to display it on your page.

But make sure you're not putting $_POST data into your queries directly because there's a SQL version of the problem you're having and it can be even worse than this XSS thing.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.