Hi all,
I just wrote a simple messenge board and I need to filter out the html characters in the subject and body. I use htmlspecialchars to filter it. But it's strange that someone can still post messenge with html characters in it. Does anyone know how to deal with this? How to prevent this more effectively? Thank you very much.
Frustrated,
jim
html character filtering problem
Moderator: General Moderators
- jimthunderbird
- Forum Contributor
- Posts: 147
- Joined: Tue Jul 04, 2006 3:59 am
- Location: San Francisco, CA
- jimthunderbird
- Forum Contributor
- Posts: 147
- Joined: Tue Jul 04, 2006 3:59 am
- Location: San Francisco, CA
i can still see the html code effect like bold font...
I mean i can still see the messenge with bold font, green or red color font..., those stuffs i don't want to see, i just want the messenge with plain text with no format. So what can i do?
regards,
jim
regards,
jim
- jimthunderbird
- Forum Contributor
- Posts: 147
- Joined: Tue Jul 04, 2006 3:59 am
- Location: San Francisco, CA
here's my code
the code is straigtforward:
htmlspecialchars($text,ENT_QUOTES)
where $text is the text from the messenge
I've heard of cross site scripting attack before, is it possible that someone can do some tricks to make htmlspecialchars not work as expected?
regards,
Jim
htmlspecialchars($text,ENT_QUOTES)
where $text is the text from the messenge
I've heard of cross site scripting attack before, is it possible that someone can do some tricks to make htmlspecialchars not work as expected?
regards,
Jim
Are you using it as:
or:
The latter is correct 
Code: Select all
htmlspecialchars($text,ENT_QUOTES);
echo $text;Code: Select all
$text = htmlspecialchars($text,ENT_QUOTES)
echo $text;