Ricky55 Posted June 23, 2014 Share Posted June 23, 2014 Hi, Total PHP noob, obviously. I want some form submission results to be in bold text. So I have: $open = echo htmlentities("<strong>"); $close = echo htmlentities("</strong>"); $message .= 'Cushion Refilling Service: ' . $open . $_POST['cushion-refilling'] . $close . "\n\n"; How should I be doing this? ThanksRichard Quote Link to comment Share on other sites More sharing options...
.josh Posted June 23, 2014 Share Posted June 23, 2014 First, you can't assign echo to a variable, so remove that. Second, htmlentities will make it to where the browser will render the tag as text instead of an actual tag. So on the page, it will show the actual tag, e.g. <strong> but if you rightclick view source, You will see e.g.: <strong> This is mostly useful for coding sites that want to show raw html code in a code box so that the browser won't treat it as a real html tag to render. So if you want the browser to render it, remove htmlentities $open = "<strong>"; $close = "</strong>"; $message .= 'Cushion Refilling Service: ' . $open . $_POST['cushion-refilling'] . $close . "\n\n"; echo $message; Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted June 23, 2014 Share Posted June 23, 2014 Now he has a cross-site scripting vulnerability through the cushion-refilling parameter. The user input must be escaped, so using htmlentities() was actually the right idea. He just applied it to the wrong data: $message = 'Cushion Refilling Service: <strong>' . htmlspecialchars($_POST['cushion-refilling'], ENT_QUOTES, 'UTF-8') . "</strong>\n\n"; Note that you want htmlspecialchars(), not htmlentities(). The htmlentities() function converts all characters for which there's a named HTML entity. This is absolutely useless and a waste of resources. On the other hand, htmlspecialchars() only converts the characters which actually have a special meaning like “<” or “>”. Also note that you must specify the character encoding. How is PHP supposed to convert characters if it doesn't even know how they look like? Quote Link to comment Share on other sites More sharing options...
.josh Posted June 23, 2014 Share Posted June 23, 2014 Yes, it is technically true that a user could input some bad js but since it's just echoing back to the same user, there's no real danger. After all, the user can just straight up js console whatever they want on the site to begin with. Cross-site scripting becomes a danger when you take user input and then allow that to be displayed to all visitors. So for example, if he were to take that posted info and store it in a db or something and then retrieve that info and display it generically on a page to everybody, that would make for potential cross-site scripting. One example of this is posting comments on a blog. Or forum posts on a thread. But near as I can tell, that is not the case in this scenario; this scenario involves echoing back out that info only to the user who just entered it in. Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted June 23, 2014 Share Posted June 23, 2014 This is a common misconception. Cross-site scripting which depends on the user input is called Reflected XSS and is just as dangerous as Persistent XSS (which you describe). It only requires a slightly different attack: While Persistent XSS is triggered when the victim visits the target page, Reflected XSS is triggered by getting the victim's browser to send the required input. In the case above, for example, the attacker only needs the victim to visit a page with some predefined JavaScript code. This code would create a form pointing to the target page, define the cushion-refilling parameter with malicious JavaScript code and then automatically submit the form. Now the victim has just made a POST request to the target page and ends up running the code in the cushion-refilling parameter. Quote Link to comment Share on other sites More sharing options...
.josh Posted June 23, 2014 Share Posted June 23, 2014 Okay you're right, thanks for pointing me to that; learn somethin' new every day. Quote Link to comment Share on other sites More sharing options...
Ricky55 Posted June 24, 2014 Author Share Posted June 24, 2014 Tried that guys but it just prints the strong tags i.e. it doesn't make the text bold. What else do I need to do to make the HTML be inerpreted? The code I used was $message = 'Cushion Refilling Service: <strong>' . htmlspecialchars($_POST['cushion-refilling'], ENT_QUOTES, 'UTF-8') . "</strong>\n\n"; Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted June 24, 2014 Share Posted June 24, 2014 And what are you doing after this? You obviously have yet another htmlentities() or htmlspecialchars() call somewhere which destroys the tags. If you just output $message, you will very well get bold text. Quote Link to comment Share on other sites More sharing options...
mogosselin Posted June 24, 2014 Share Posted June 24, 2014 (edited) Or you could use something like... <?php $msg_label = "Cushion refilling service"; $msg = htmlspecialchars($_POST['cushion-refilling'], ENT_QUOTES, 'UTF-8'); ?> <!DOCTYPE html> <html> <body> ... <?= $msg_label ?>: <strong><?= $msg ?></strong> ... </body> </html> Which should be easier to manipulate... Edited June 24, 2014 by mogosselin Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.