Escaping quotes in HTML?

JavaScript and client side scripting.

Moderator: General Moderators

Post Reply
User avatar
evilmonkey
Forum Regular
Posts: 823
Joined: Sun Oct 06, 2002 1:24 pm
Location: Toronto, Canada

Escaping quotes in HTML?

Post by evilmonkey »

Hello. I have a string that comes from PHP that I want to include as a hidden value of a form. THe problem is, that string might have quotes, and I may well end up with something like this

Code: Select all

<input type="hidden" name="somename" value="My nickname is "evilmonkey" on the devnetwork forums">
Obviously that will screw thigs up big time. Is there any way I can avoid that?

Thanks! :D
User avatar
Buddha443556
Forum Regular
Posts: 873
Joined: Fri Mar 19, 2004 1:51 pm

Post by Buddha443556 »

Convert them to: "

htmlentities() or htmlspecialchars()
User avatar
infolock
DevNet Resident
Posts: 1708
Joined: Wed Sep 25, 2002 7:47 pm

Post by infolock »

in that case you would want to use " around whatever there is that will have those in it...


example :

<input type="text" name="bob" value="HI "Bob"">


that will display "Hi "Bob" in your input box


thing you should is maybe something like this too...

Code: Select all

$myvar = htmlspecialchars($some_string_with_quotes);
echo "<input type="text" name="bob" value="$myvar">";
edit: guess Buddha443556 got it first. oh well
User avatar
evilmonkey
Forum Regular
Posts: 823
Joined: Sun Oct 06, 2002 1:24 pm
Location: Toronto, Canada

Post by evilmonkey »

Buddha443556 wrote:Convert them to: "

htmlentities() or htmlspecialchars()
:? Not very good. I need to pass some html code too that should go into the database and get processed as html code. :( Both of those commands would convert that too. Looks like I'm stuck making my own function to replace just the single quotes. Any better ideas?
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

Code: Select all

<input type.... blah blah value='My "name is" blah' />
Might work.
User avatar
evilmonkey
Forum Regular
Posts: 823
Joined: Sun Oct 06, 2002 1:24 pm
Location: Toronto, Canada

Post by evilmonkey »

agtlewis wrote:

Code: Select all

<input type.... blah blah value='My "name is" blah' />
Might work.
That's worse considering an apostrophe is used much more than a quote. :)
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Post by josh »

uhh, addslashes() maybe? You shouldn't trust html to a user though.. big security flaw there
User avatar
evilmonkey
Forum Regular
Posts: 823
Joined: Sun Oct 06, 2002 1:24 pm
Location: Toronto, Canada

Post by evilmonkey »

jshpro2 wrote:uhh, addslashes() maybe? You shouldn't trust html to a user though.. big security flaw there
HTML is my own. :) It basically works something like this: It's a messaging system, and if a user is responding to a message, I want to append the previous message to it automatically. So it's something like

Code: Select all

How's it goin?
-----------------------------
On March 30, 2006, evilmonkey wrote

Hey Dude!
The "How's it goin?" part goes through strip_tags, mysql_escape_string, and stripslashes (not in that order of course :) ), but the dashes and everything after is added automatically. In order to format, I need HTML code, so using htmlentities was not a viable solution. And at the point at which I'm doing this, I no longer have access to just the message, I'd have to break the string again. I solved it by writing a function which will get rid of quotes, apostrophies, etc.

BTW, I'm glad someone brought up the security flaw behind letting the users post HTML. Can someone tell me what that flaw is? (I allow it in other places). The worst it can do is screw up the design of the page, but the area that's HTML-able by the user is in a frame...are there any injection worries or anything of the sort though? Please give examples. Thanks. :)
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

addslashes doesn't do anything in this instance. htmlentities() is the correct way. Try it, you'll find out.
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Post by josh »

Well if he uses addslashes he won't break the HTML code and he can strip it out, but I agree htmlentities would be the ideal solution.


Also I think you need to pay more attention to your HTML:

Code: Select all

<form>
<textearea>
<?php
echo '<b>test</b>';
?>
</textarea>
</form>
If your script is taking that data from that textarea and is not doing any checks on the HTML you are allowing the user to enter anything they want, period. Even if it is a hidden field all it takes is 2 seconds to modify the hidden field data with javascript, a firefox plugin or to do it from telnet. Security risks involved include XSS where cookies can be stolen and any kind of script can be injected into the page. For instance I could write up a javascript that changes the user's password without their knowledge (this is why feyd and others always suggest having the user type their password every time they perform an administrative function)
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Slashes don't escape anything in HTML. The code would break if it had an end delimiter mixed in.
User avatar
evilmonkey
Forum Regular
Posts: 823
Joined: Sun Oct 06, 2002 1:24 pm
Location: Toronto, Canada

Post by evilmonkey »

Alright, thanks guys. Rest assured, I do run some checks (i.e., I don't want PHP code inside my text areas). I'm pretty lenient though because I want HTML code to stay. It's a tough balancing act...
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

Use a textarea and set the display type to none using css. You can put whatever you want in it and it will be like a hidden field.
User avatar
J_Iceman05
Forum Commoner
Posts: 72
Joined: Wed Aug 03, 2005 10:52 am
Location: Las Vegas, NV

Post by J_Iceman05 »

I think htmlspecialchars() or something like would do well... I mean... If you are putting it in a database you have to be using php right? so when you display the text, (such as 'HI "bob"') you will be echoing the variable (which will contain ", but still be displayed as a quote)
I just don't see where the problem is with using that kind of function...
Post Reply