Page 1 of 1

Need critique on 'code samples' script

Posted: Wed Nov 25, 2009 7:50 am
by social_experiment
I am creating a blog that will have user input which might sometimes consist of code samples. The data would be stored inside a database so i would use mysql_real_escape_string() when inserting the data and stripslashes() when displaying the data. Below is the php code that i created to help decide which method would be best :

Code: Select all

 
<?php
 //
 echo "<form method=\"post\" action=\"".$_SERVER['PHP_SELF']."\" />";
 echo "<textarea cols=\"20\" rows=\"10\" name=\"sampleText\" /></textarea>";
 echo "<input type=\"submit\" name=\"btn\" value=\"test sample text\" />";
 echo "</form>";
 //
 
 $text = $_POST['sampleText'];
 
 //
 echo "Using a <pre> tags and htmlentities<br />";
 echo "<pre>".stripslashes(htmlentities($text, ENT_QUOTES))."</pre>";
 
?>
 
The user input is displayed as 'sample code' without being parsed. I tried using the html tags <code></code> instead of <pre></pre> but i want the 'code' entered to be displayed as the user enters it into the textarea. Is this a (relatively) secure method for allowing visitors to post code samples?

Re: Need critique on 'code samples' script

Posted: Wed Nov 25, 2009 8:48 am
by MichaelR
Perhaps this:

Code: Select all

 
<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>" />
<textarea cols="20" rows="10" name="sampleText" /></textarea>
<input type="submit" name="btn" value="test sample text" />
</form>
 
<?php
 
  $text = stripslashes($_POST['sampleText']);
 
  $text = str_replace('<', '<', $text);
  $text = str_replace('>', '>', $text);
 
  echo '<pre>' . $text . '</pre>';
 
?>
 

Re: Need critique on 'code samples' script

Posted: Wed Nov 25, 2009 10:27 am
by social_experiment

Code: Select all

 
# <?php
#  
#   $text = stripslashes($_POST['sampleText']);
#  
#   $text = str_replace('<', '<', $text);
#   $text = str_replace('>', '>', $text);
#  
#   echo '<pre>' . $text . '</pre>';
#  
# ?>
 
It could work ( I'll test it and get back ) but what about if a malicious user were to attempt something such as :

Code: Select all

 
<script type="text/javascript">
 alert('Possible XXS');
</script>
 

Re: Need critique on 'code samples' script

Posted: Wed Nov 25, 2009 10:40 am
by social_experiment

Code: Select all

 
<?php
 $match_str = array('<', '>');
 
 $replace_str = array('<', '>');
  
 $replaced = str_replace($match_str, $replace_str, $_POST['sampleText']);
 
 echo stripslashes($replaced);
?>
 
I used your suggestion and it seems that it works just as good. Thanks for the critique.

Re: Need critique on 'code samples' script

Posted: Wed Nov 25, 2009 11:10 am
by MichaelR
My answer to any questions as to why use str_replace instead of htmlentities: the only problematic characters are < and >, and so only these really need changing. Changing everything is just superfluous.

To social_experiment: did your test answer your own question regarding the javascript? If not; the script will be output as text not as code because of the str_replace converting < and >.

Re: Need critique on 'code samples' script

Posted: Wed Nov 25, 2009 4:41 pm
by social_experiment
To social_experiment: did your test answer your own question regarding the javascript? If not; the script will be output as text not as code because of the str_replace converting < and >
Yes i found that the 'code' is displayed as text as it should, i can just echo that $replaced_text between <pre></pre> tags and would get the same result ( i think ).

Thanks for the critique :)