开发者

Is it OK to have HTML tags inside an array (is there risk of hacking)?

问答 作者:

I have the following array:

'tagline_p' => "I'm a <a href='#showcase'>multilingual web</a> developer, designer and translator. I'm here to <a href='#contact'>help you</a> reach a worldwide audience.",

Should I e开发者_运维技巧scape the HTML tags inside the array to avoid hackings to my site? (How to escape them?)

or is OK to have HTML tags inside an array?

The only time it becomes a problem is when it contains user input. You know what you put in your array, and trust it. But you don't know what users are passing in, and don't trust that.

So in this particular case, escaping is not needed. But as soon as user input is involved, you should escape the input.

It's not the HTML itself that is dangerous, but the type of HTML users can pass in, like script tags which allow them to execute Javascript.

Addition

Note that it's best practice to only escape on output not on input. The output is where the data can do damage, so you want to consistently escape that. That way, you don't have to make sure that all input is escaped.

That way, you don't have problems when outputting data to different formats where maybe different rules apply. You don't have to use things like stripslashes() or htmlspecialchars_decode() if you don't need things to be output as html.

It's fine to store the data in the array.

You only need to escape the tags when you are outputting it into an HTML context, and you don't trust it, or you don't want the HTML to be interpreted.

You have to escape data in an appropriate manner to where you are sending it; for HTML if you don't want it to be read as HTML you can use htmlspecialchars(), likewise if you are putting it into an SQL statement and you don't want it to be read as SQL, you can use mysql_real_escape_string() etc.

You should escape HTML when it has been entered by a user (and thus is unsafe) AND you're going to display that HTML in you site. If it's you who wrote it, it doesn't need any kind of escaping.

If you do need to escape html you should do so right before displaying it on your site. There is no need to escape data when you're just lugging it around (like you're presummably doing with that array). You can escape HTML with the htmlspecialchars() function.

(Use htmlspecialchars or htmlentities to escape the HTML.)

Having HTML tags is fine as long as you restrict the set of tags and attributes coming from user, if that array is dynamically generated. For example, <script> should not be allowed, nor event handlers like onmouseover.

It depends on how the HTML is getting into the array. If it's hardcoded by you, it's probably all right. If it's coming from a user, well, all user input is suspect- HTML is just more difficult to clean.

The real question might be "Why do you want to put HTML in an array?". If it's static text, put it in a template file somewhere.

make an array of allowable tags and use strip_tags($input_array[$key],$allowable_tags)

or make a function like this

function sanitize_input($allowable_tags='<br><b><strong><p>')
{                   
    $input_array = $input;
    foreach ($input as $key=>$value){
   if(!empty($value)) {
    $input_array[$key] = strip_tags($input_array[$key],$allowable_tags);
   }
 }
 return $input_array;

}

继续阅读:arraysphp

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9