Safely embed HTML in a $string

[ajoo]

Hi all, 

 

I wish to embed some HTML in messages in my application as also in the emails to format them nicely. How is it possible to do that securely?

 

Thanks.

[requinix]

Where is the HTML coming from?

[ginerjm]

If YOU are creating the actual HTML codes, then there is no risk.  If the html is coming 'from' somewhere (dynamic, and not static so to speak) then you have to prepare it first.  You will have to run htmlentities() on it before outputting it tho.

[requinix]

You will have to run htmlentities() on it before outputting it tho.

Thing is, that would break the HTML markup that was desired.

[ginerjm]

Don't know what I was thinking of!  I output html all the time and never do that!  

 

I am such an idiot somedays....

[ajoo]

Hi requinix and ginerjm !!

 

Thanks for the response ! Ya so the html escaping is not possible. As for the message, it could be a static or dynamic but I don't think it would include any user inputted data in it. 

 

However let's consider that the data is dynamic and also has some user input appended to the message. So I would like to know what's the best way to construct such a message so that it is perfectly safe.

 

Thanks loads ! 

[maxxd]

You could always strip_tags() any undesirable tags - script tags, etc... There are obviously caveats to using strip_tags() as well, but it's better than trusting user input.

[requinix]

Unfortunately strip_tags() is only a partial solution. Consider something like

strip_tags() can allow the but it doesn't do any validation on the rest of the tag.

 

I don't think it would include any user inputted data in it.

Then there's no risk - just make sure the HTML is well-formed.

 

However let's consider that the data is dynamic and also has some user input appended to the message.

Can you reduce that to a situation where the user input does not contain HTML? You could always prompt for more than one piece of data if you needed to fit it into a sort of template.

[ajoo]

hmmm ! How about as follows:

<?php 
         $username = $_POST['username'];
         .
         .

         $msg = "<p> This is a test </p>".html_escape($username);
         .
         .
         .  
         echo $msg;
?> 
 

Would not that sort the issue of a user input that is included?

[Jacques1]

What exactly makes you think that HTML-escaping somehow doesn't work in this scenario? Because I don't see the problem here at all.

[ajoo]

Hi Guru Jacques, 

 

If you are referring to #9, that is the solution that I think should work. I am just asking for a confirmation.

 

This :

html_escape "<p> This is a test. </p></p>This is another.</p>"

is what won't work as i tested it.

 

Thanks !

[Jacques1]

Of course you have to HTML-escape the data you want to insert, not the entire markup.

[ajoo]

   Thank you !!