0

Hoping this isn't a duplicate, I couldn't find an original question on the topic. If you have an area for users to input data, how do you store and retrieve the data without them inserting javascript or html?

As an example, say a user is making a forum post. They decide to write an html list or javascript function that runs when the post is viewed. How do you mitigate this when you receive their input on the server-side? Specifically a server'side of PHP.

  • Remove parts of their string data based on patterns?
  • Use an html tag around their entry like ?

Thanks

Improve this question
3

4 Answers 4

Reset to default
3

All you have to do, going for the bare minimum, is replace < with &lt;.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

I use HTML Purifier to strip out the bits I don't want and leave in the bits I do. The default rules are pretty good, but it offers enormous flexibility if you need it.

Improve this answer

1 Comment

That looks like a fantastic tool. I'll definitely try it out
2

You have to remove or translate the offending parts of their post. You can do it once as the post is coming in, and save the translated post in the database, or you can do it every time you display the post, and store the raw post in the database. Both approaches have their good and bad points.

As to how to strip the bad stuff, using simple matching to replace all < and > with &lt; and &gt; goes a long way -- but there's plenty more to do besides that.

Improve this answer

3 Comments

Is there a list somewhere of items to replace to protect the site? Is it just < and >
What more to do is there? No HTML gets through if you escape the less-than sign.
On when to do it: my preference is to store the raw post and translate/encode on later display. But maybe that's because I often work on systems where the data has to be accessible for other (non-HTML) purposes.
2

There are lots of tutorials out there on preventing code injections. Microsoft's is pretty comprehensive found here.

For html injects depending on how thorough you want to be you can usually just put in a string parser to check for <> and remove them without given exceptions.

Improve this answer

1 Comment

sorry, didn't see you were working in php, but googling "preventing javascript php injections" brings up a handful of SO links so be assured there is plenty of info out there.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.