Page 1 of 1
escaping output
Posted: Mon Sep 08, 2008 4:02 am
by ibolui
hi, i just read that for security purposes, i should escaped my $output before echoing the values. and the method is to use htmlentities.
however if the $output is a html text, for example, $output = "A 'quote' is <b>bold</b>";
and i wish to retain the <b> instead of becoming <b>
what should i do?
if i am to echo ANY unescaped output to a flash app frontend, will there be security issues ???
Re: escaping output
Posted: Tue Sep 09, 2008 1:55 pm
by andyhoneycutt
Typically, I think, you'll want to secure data that will be used from input, not output. As far as making sure things are good on the flash-app when it receives data, you'll want to run security measures on that end, not necessarily relying on the output method to secure your data.
-Andy
Re: escaping output
Posted: Tue Sep 09, 2008 2:54 pm
by Mordred
You should escape only values, not constants + values:
Code: Select all
$bold = htmlspecialchars($bold, ENT_QUOTES, 'utf8');
$output = "blah <b> $bold</b>";
echo $output;
instead of something like
Code: Select all
$output = "blah <b> $bold</b>";
echo htmlspecialchars($output, ENT_QUOTES, 'utf8');
Re: escaping output
Posted: Wed Sep 17, 2008 10:26 am
by ibolui
but from a user input of a huge chunk of text, how do i differentiate between constants and values??
Re: escaping output
Posted: Wed Sep 17, 2008 2:48 pm
by Cut
Use htmLawed to escape only certain tags:
http://www.bioinformatics.org/phplabwar ... /index.php
Read the documentation fully.
Re: escaping output
Posted: Thu Sep 18, 2008 1:45 am
by Mordred
@ibolui: You know what "values" are, because you, the programmer, put them there!
See my previous example - $bold is a "value"