Page 1 of 1

html character filtering problem

Posted: Tue Jul 04, 2006 4:05 am
by jimthunderbird
Hi all,
I just wrote a simple messenge board and I need to filter out the html characters in the subject and body. I use htmlspecialchars to filter it. But it's strange that someone can still post messenge with html characters in it. Does anyone know how to deal with this? How to prevent this more effectively? Thank you very much.
Frustrated,
jim

Posted: Tue Jul 04, 2006 4:15 am
by Jenk
When you say they are still posting them, do you mean you can still see them, like on these boards?

htmlspecialchars() or htmlentities() does not remove them as such, it replaces them with their 'display' counterparts. e.g. '<' is replaced with '<'

i can still see the html code effect like bold font...

Posted: Tue Jul 04, 2006 4:25 am
by jimthunderbird
I mean i can still see the messenge with bold font, green or red color font..., those stuffs i don't want to see, i just want the messenge with plain text with no format. So what can i do?
regards,
jim

Posted: Tue Jul 04, 2006 4:42 am
by Jenk
What's your code? :)

here's my code

Posted: Tue Jul 04, 2006 4:53 am
by jimthunderbird
the code is straigtforward:


htmlspecialchars($text,ENT_QUOTES)

where $text is the text from the messenge

I've heard of cross site scripting attack before, is it possible that someone can do some tricks to make htmlspecialchars not work as expected?

regards,

Jim

Posted: Tue Jul 04, 2006 5:17 am
by Jenk
Are you using it as:

Code: Select all

htmlspecialchars($text,ENT_QUOTES);
echo $text;
or:

Code: Select all

$text = htmlspecialchars($text,ENT_QUOTES)
echo $text;
The latter is correct :)