html character filtering problem

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
jimthunderbird
Forum Contributor
Posts: 147
Joined: Tue Jul 04, 2006 3:59 am
Location: San Francisco, CA

html character filtering problem

Post by jimthunderbird »

Hi all,
I just wrote a simple messenge board and I need to filter out the html characters in the subject and body. I use htmlspecialchars to filter it. But it's strange that someone can still post messenge with html characters in it. Does anyone know how to deal with this? How to prevent this more effectively? Thank you very much.
Frustrated,
jim
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

When you say they are still posting them, do you mean you can still see them, like on these boards?

htmlspecialchars() or htmlentities() does not remove them as such, it replaces them with their 'display' counterparts. e.g. '<' is replaced with '<'
User avatar
jimthunderbird
Forum Contributor
Posts: 147
Joined: Tue Jul 04, 2006 3:59 am
Location: San Francisco, CA

i can still see the html code effect like bold font...

Post by jimthunderbird »

I mean i can still see the messenge with bold font, green or red color font..., those stuffs i don't want to see, i just want the messenge with plain text with no format. So what can i do?
regards,
jim
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

What's your code? :)
User avatar
jimthunderbird
Forum Contributor
Posts: 147
Joined: Tue Jul 04, 2006 3:59 am
Location: San Francisco, CA

here's my code

Post by jimthunderbird »

the code is straigtforward:


htmlspecialchars($text,ENT_QUOTES)

where $text is the text from the messenge

I've heard of cross site scripting attack before, is it possible that someone can do some tricks to make htmlspecialchars not work as expected?

regards,

Jim
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

Are you using it as:

Code: Select all

htmlspecialchars($text,ENT_QUOTES);
echo $text;
or:

Code: Select all

$text = htmlspecialchars($text,ENT_QUOTES)
echo $text;
The latter is correct :)
Post Reply