Simple PHP XSS / Urlencode Question
I have an email address param where email addresses are passed un-encoded like so:
http://domain/script?email=test+test@gmail.com
What PHP escaping/encoding will let me safely display the email address on an input field on the page?
Everything I tried causes the encoded chars to show up instead of the user-friendly email address 开发者_如何转开发(i.e. test%2Btest%40test.com)
Update - here's what I've tried:
Going from ?email=test+test@gmail.com to:
urlencode($_GET['email']) = test+test%40test.com (@ sign is encoded)
htmlspecialchars($_GET['email']) = test test@test.com (lost the +)
htmlspecialchars(urlencode($_GET['email']) = test+test%40test.com (@ sign encoded)
Recall that I'm trying to take the unencoded url email param and safely output it into the value of an input field while keeping plus signs intact.
Maybe I should try this?
str_replace("%40", "@", htmlspecialchars(urlencode($_GET['email'])))
If you want to safely output it in the value of an input field, you need to htmlencode it first with htmlspecialchars.
Example :
<input type="email" name="email" value="<?php echo htmlspecialchars($_GET['email']); ?>"
Note : If you aren't using double quote around what you are output, you need to apply more escaping. This page explains it all.
This works:
str_replace("%40", "@", htmlspecialchars(urlencode($_GET['email'])))
You're probably looking for urldecode()
? That's what converts %40, %2B, etc. back into normal characters.
use emailaddress = urldecode($_GET['email']);
as Kevin suggested. it will do whatever you need.
What if you validate the email and write it as it was, if only an email address is acceptable?
精彩评论