How to prevent users from planting malicious scripts in user data that is displa

[kkibak]

Hello,

New to the forums--looks like a great place!

I am sort of a PHP beginner and recently noticed that someone entered into one of my input fields a <  script  > tag calling a malicious script.

On my site, I present the user input (which is stored in a database) in a number of places and want to make sure this script does not run.

I have magic quotes enabled, but as I understand this is not applicable in this situation.

My question is what do I have to do to make sure the malicious external script doesn't run?  Does PHP take care of this automatically, or do I have to use something like strip_tags() each time I output the data?

[Fallen_angel]

I belive it would be something like  strip_tags($inputname 'allowedtags') however you could also use  fgetss

let me know if that doesn;'t work

[projectshifter]

htmlentities() does wonders ;)

[kkibak]

thanks guys, the html entities worked well. one question though--if we want to allow them to enter harmless html like bold, etc., will this be removed with html entities?

[projectshifter]

Yep.  You could then go through and have it check for the htmlentities version of <b> and </b> and such and convert it back to regular HTML if you wanted, or allow the use of [b] and such and just swap those out.

[keeB]

It's rather hard to have one but not the other :)

A quick note, though. I would store the data in your database WITH html_entities instead of without it, because you may not always remember to output it with it enabled!

Good luck

[mainewoods]

the script tag and other ways to insert javascript is why message boards, including this one, do not allow the direct entry of any html, even simple links. As well as using malicious scripts in script tags, a hacker might use the onmouseover event or the onclick event in the a link tag, or you can use those events with many other html tags like the div, the paragraph, the span, maybe even the bold tag talked about.  Those tags could be used to transfer the current users logged on session id to a remote hacker site where it could possibly be exploited. 

It could be difficult to make sure you've sanitized every way a javascript could be injected through html, that's why message boards that contain public logged on areas do not allow the entry of any html directly.