0

I got a simple script which I'm using to POST one world and then to display it with lines from list_of_files.txt. Just noticed that I can POST JavaScript, PHP and Html. How I strip this?

$files=file('list_of_files.txt');

if ($_SERVER['REQUEST_METHOD'] == 'POST'){ 
    foreach($files as $list)
    {
        $extension = $_POST['extension'];
        echo trim($list) . trim($extension);
        echo "</div>";
    }
}else{ 
?>
Improve this question
1
  • 2
    Look into htmlspecialchars() and strip_tags() manual pages Commented Aug 27, 2013 at 13:11

2 Answers 2

Reset to default
4

strip_tags($str) (http://php.net/manual/de/function.strip-tags.php) will remove ALL HTML tags

Example:

name=<strong>Finn</strong>&last_name=<script>alert('XSS');</script>

PHP:

$normal = $_POST['name']; //<strong>Adam</strong>
$stripped = strip_tags($_POST['name']); //Adam
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

3

Are you looking for strip_tags?

This function tries to return a string with all NULL bytes, HTML and PHP tags stripped from a given str. It uses the same tag stripping state machine as the fgetss() function.

if you're looking to output, you can use htmlspecialchars.

The translations performed are:

   '&' (ampersand) becomes '&amp;'
   '"' (double quote) becomes '&quot;' when ENT_NOQUOTES is not set.
   "'" (single quote) becomes '&#039;' (or &apos;) only when ENT_QUOTES is set.
   '<' (less than) becomes '&lt;'
   '>' (greater than) becomes '&gt;'
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.