Jump to content

Recommended Posts

I am trying to keep security in mind before I start a large project, so I have a quick question. I understand that it isn't safe to allow users to input HTML or any code into the database.

 

My question is, if I use htmlentities() on all input where the user is allowed to use code that will be inserted into the database, will that keep away malicious javascript code?

 

Obviously when I want to display this information from the database I will use html_entity_decode(), but won't that just change it back from HTML entities to normal HTML again? If it does that, doesn't that mean that the code will still be executed, and I would still be vulnerable to the attacks that are in the code?

 

Maybe this is the reason BBC code was created? If I don't have to use it though, I would rather not.

Link to comment
https://forums.phpfreaks.com/topic/66935-solved-security-question/
Share on other sites

You are correct.

You can use one of the many libraries out there for cleaning HTML if you want to allow it and still prevent XSS attacks.

Check out this page:

http://htmlpurifier.org/comparison.html

 

PS: You'd be surprised how many big sites are vulnerable to XSS. buy.com still is ;)

Decoding it will in fact make you susceptible again. You could do a regular expression search/replace to remove any script tags... because there really isn't a need to allow users to enter in javascript to begin with. If you find any occurences you may consider logging it so that you can see what malicious users were trying to do. Or you could replace < and > with ( and ) on script tags and output it as text... but that's kind ugly. Really depends on your situation. Can you provide some more insight?

Jesirose, looks like that is exactly what I am looking for =] I will check it out.

 

I don't want to NOT allow HTML, I would like the users of my site to be able to use HTML to "decorate" there personal pages. I just want to make sure I'm protected from the XSS attacks mostly.

 

Wow, how could buy.com not be protected? 0_0 You would think they would have enough money to get it done...

 

Okay, I'm gonna check out that site, then I will be back to report the thread as solved if it's what I'm looking for. If anyone else has any suggestions, please share :)

Thanks jesirose, the library is perfect =]

 

Yeah, lets definitely not get started on that, I can already tell they are a bunch of morons. They will be forced to secure it sooner or later, and if they don't, we will just sit back an watch their empire fall =] I'm speaking from not much knowledge on just how vulnerable they are, but not being protected from those attacks couldn't be a good thing.

 

Anyways, thanks again xD

I'm assuming that this library will catch JavaScript as well?

  • 2 months later...

For filtering input, one may also think of using <a href="http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/index.php">htmLawed</a>, a highly customizable, 45 kb, single file, non-OOP PHP script to filter and purify HTML. Besides restricting tags/elements, attributes and URL protocols as per one's specification, and balancing HTML tags and ensuring valid tag nesting/well-formedness, it also has good anti-XSS and anti-spam measures.

I can see their building here from my office, maybe I'll walk over there and tell them face to face.

 

Yeah, and if you TELL buy.com or one of the other large sites, they threaten to prosecute you for attempted hacking. Don't get me started on these morons.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.