Page 1 of 1

escaping output

Posted: Mon Sep 08, 2008 4:02 am
by ibolui
hi, i just read that for security purposes, i should escaped my $output before echoing the values. and the method is to use htmlentities.

however if the $output is a html text, for example, $output = "A 'quote' is <b>bold</b>";
and i wish to retain the <b> instead of becoming <b>
what should i do?

if i am to echo ANY unescaped output to a flash app frontend, will there be security issues ???

Re: escaping output

Posted: Tue Sep 09, 2008 1:55 pm
by andyhoneycutt
Typically, I think, you'll want to secure data that will be used from input, not output. As far as making sure things are good on the flash-app when it receives data, you'll want to run security measures on that end, not necessarily relying on the output method to secure your data.

-Andy

Re: escaping output

Posted: Tue Sep 09, 2008 2:54 pm
by Mordred
You should escape only values, not constants + values:

Code: Select all

$bold = htmlspecialchars($bold, ENT_QUOTES, 'utf8');
$output = "blah <b> $bold</b>";
echo $output;
instead of something like

Code: Select all

 
$output = "blah <b> $bold</b>";
echo htmlspecialchars($output, ENT_QUOTES, 'utf8');
 

Re: escaping output

Posted: Wed Sep 17, 2008 10:26 am
by ibolui
but from a user input of a huge chunk of text, how do i differentiate between constants and values??

Re: escaping output

Posted: Wed Sep 17, 2008 2:48 pm
by Cut
Use htmLawed to escape only certain tags: http://www.bioinformatics.org/phplabwar ... /index.php

Read the documentation fully.

Re: escaping output

Posted: Thu Sep 18, 2008 1:45 am
by Mordred
@ibolui: You know what "values" are, because you, the programmer, put them there!
See my previous example - $bold is a "value"