开发者

Simple PHP XSS / Urlencode Question

I have an email address param where email addresses are passed un-encoded like so:

http://domain/script?email=test+test@gmail.com

What PHP escaping/encoding will let me safely display the email address on an input field on the page?

Everything I tried causes the encoded chars to show up instead of the user-friendly email address 开发者_如何转开发(i.e. test%2Btest%40test.com)

Update - here's what I've tried:

Going from ?email=test+test@gmail.com to:

urlencode($_GET['email']) = test+test%40test.com (@ sign is encoded)
htmlspecialchars($_GET['email']) = test test@test.com (lost the +)
htmlspecialchars(urlencode($_GET['email']) = test+test%40test.com (@ sign encoded)

Recall that I'm trying to take the unencoded url email param and safely output it into the value of an input field while keeping plus signs intact.

Maybe I should try this?

str_replace("%40", "@", htmlspecialchars(urlencode($_GET['email'])))


If you want to safely output it in the value of an input field, you need to htmlencode it first with htmlspecialchars.

Example :

<input type="email" name="email" value="<?php echo htmlspecialchars($_GET['email']); ?>"

Note : If you aren't using double quote around what you are output, you need to apply more escaping. This page explains it all.


This works:

str_replace("%40", "@", htmlspecialchars(urlencode($_GET['email'])))


You're probably looking for urldecode()? That's what converts %40, %2B, etc. back into normal characters.


use emailaddress = urldecode($_GET['email']); as Kevin suggested. it will do whatever you need.


What if you validate the email and write it as it was, if only an email address is acceptable?

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜