JohnnyDoomo Posted September 4, 2013 Share Posted September 4, 2013 I'm a noobie at php, so this is probably very simple, but I have a field that allows users to submit a title for a page. Today I discovered someone submitted a title that had "<head><title>" in it, and it broke the site. If my variable is called $_POST['title'] can someone please show me how I would either keep "<head><title>" in the title, but not process it, or remove certain html tags that would cause trouble? If you could give me the actual code I need, that would be very helpful, as a lot of times things mentioned on how to do it is over my head at the moment. Thanks for any help you can provide me with. Quote Link to comment https://forums.phpfreaks.com/topic/281850-prevent-html-from-processing-from-user-submitted-field/ Share on other sites More sharing options...
requinix Posted September 4, 2013 Share Posted September 4, 2013 What you're demonstrating is called XSS and the problem is worse than people just "breaking the site". Write yourself a function that calls htmlentities or htmlspecialchars with the correct set of arguments for your page: passing ENT_QUOTES and whatever character encoding your pages use. Like function htmlescape($string) { return htmlentities($string, ENT_QUOTES, "UTF-8"); }Then use that every time you output arbitrary user-provided information, like <?=htmlescape($_POST["title"])?>If you're wondering about what to do with your database, don't escape the data when it goes in. Only when you're about to display it on your page.But make sure you're not putting $_POST data into your queries directly because there's a SQL version of the problem you're having and it can be even worse than this XSS thing. Quote Link to comment https://forums.phpfreaks.com/topic/281850-prevent-html-from-processing-from-user-submitted-field/#findComment-1448146 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.