开发者

Prevent HTML data from being posted into form textboxes

I'm making a web application using PHP in where I have a form that makes entries into a MySQL database and later displays it on another webpage. But the problem is that the text boxes in the form tend to accept HTML content making the application vulnerable to XSS hacks. How do I convert HTML to plain text before I display it in the webpage.

Please feel free to ask questions in case I lack providing any information.

---------------------------------------(UPDATE)----------------------------------------

Many of you fellow mates have suggested the use of htmlspecialchars but in that case, if I were to al开发者_Go百科low user to refer to other pages using hyperlinks, how do I do that?


htmlspecialchars is one of your friends for that, you may also want to replace utf8, hexencoded or entitified version of < to avoid obfuscated script to get through.


htmlspecialchars is one to to prevent xss

strip_tags also strips out PHP tags

also make sure to use mysqli_real_escape_string or the like to prevent SQL injection

UPDATE in response to your update, the simplest way to do that would be to use one of the many markdown syntaxes ala Daring Fireball. Since the markdown syntax are not HTML/PHP tags, it should pass through the PHP functions without problem, but I have never implemented this myself, so YMMV.


there you go

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜