1

I am working on this new social networking site. One of it's various functions is posting. You can post to Facebook and my site, or Twitter and my site. That being said, I couldn't help but try and post HTML as I was testing sql injection. When I did, I noticed that there where ways to manipulate the site to, for instance, using a element to completely screw up the CSS design, or redirect a user to another site using javascript. That being said, I want to make my site a safe environment for my users... not a site that is used to distribute computer viruses, porn, and other things that might make someone tend to stay off of my site. When I searched this topic, I found ways to "strip" the HTML out of the $post variable before submitting it to the database. However, I would just like to make it so you can post any text, including HTML and Javascript, without the browser interpreting it as "run this..." code: I want to display it as plane text. I've seen it on Facebook, and when I looked at it the source code of a post, it showed <, /, and > as regular text. I tried "dissecting" Facebook's source code, but found nothing. I have tried using tags such as <pre> and <code>, but because of the lack of ability to style and control them, I gave up and went back to just allowing HTML. Please, anyone who knows how to do this, please help me out.

Thanks in advance,

TP

Vincent Ramdhanie
  • 102,349
  • 23
  • 137
  • 192
Tim Powell
  • 127
  • 1
  • 11
  • Thank you all for your help. I think I'm going to try to use a couple of methods, just to ensure security. I will probably use the server-side function to escape HTML special characters... mainly because it is a definite way to be compatible with all of the browsers. Click here for a link about the day when internet explorer will be compatible with mozilla firefox :p – Tim Powell Dec 01 '12 at 10:59

4 Answers4

3

There's a function to "escape" html special characters. This will change

<p>Some dangerous html</p>
<script>window.location.replace('http://pornography.com');</script>

Into:

&lt;p&gt;Some dangerous html&lt;/p&gt;
&lt;script&gt;window.location.replace('http://pornography.com');&lt;/script&gt;

Which the browser will display as plain text (i.e. <p>Some ...).

Incidentally, this is will have happened to the text in this very post. Which is probably for the best.

RichardTowers
  • 4,682
  • 1
  • 26
  • 43
1

You could use the function strip_tags() to filter the input. If you see that the text has changed then it means the users tries to enter html data. You either reject the input or you keep the filtered version.

koopajah
  • 23,792
  • 9
  • 78
  • 104
1

I guess what you want is just removing links and javascript. You can do it with regular expressions

Regular expression for parsing links from a webpage?

php regular expressions resources

Community
  • 1
  • 1
de3
  • 1,890
  • 5
  • 24
  • 39
1

To show the < and > etc. as text, use 

$output = htmlentities($string, ENT_QUOTES);

This will ensure any html code is displayed as text and not as pure html.

http://php.net/manual/en/function.htmlentities.php

Lawrence Cooke
  • 1,567
  • 3
  • 26
  • 52