-1

I would like to post HTML code to a PHP page and then display that HTML inline. Is that safe to do? Since it's a simple form could someone post a PHP instead of HTML? What code do I use to make sure no PHP is submitted to the server?

More details:
This is my PHP page, 

<HTML>
<body>
<textarea id="html_textarea"></textarea>
<button type=submit>Preview</button>

PREVIEW
<?PHP 
echo $_REQUEST['html_textarea'];
</PHP>

</body>
</HTML>

Example data: 

<div>Hello world</div>

What I don't want to happen is someone post this data: 

<?php 
// something malicious or not safe for work 
</php>

Does this make sense?

ANOTHER UPDATE:
Thanks for all the help. I need to give more details. I am writing an HTML editor online. So the developer can create and write their HTML pages and then I want to let them preview their HTML pages. They can write the body HTML and add a list of CSS and JS to include.

I could create an HTML page for them but I think it's not safe to create HTML pages on the server on the fly (or maybe it is?). I think I should let them post their HTML and CSS and JS to my PHP page on my server* and then I put it all together for them and display it. My thought was it would be only temporary. But according to the site on XSS it would be a non-persistent vulnerable. It maybe that I can only allow previewing only when the developer is logged in then.

*I say my server and then I get shivers. So that is why I ask the question here. What if I posted to their server (they would have to have a server). I would feel much safer but then the developer has to have their own server (maybe a good thing).

1.21 gigawatts
  • 16,517
  • 32
  • 123
  • 231
  • That's why we use `htmlspecialchars` – Mr. Alien Jul 30 '13 at 06:51
  • PHP will not be executed, just HTML might be posted then it can affect your page, you can bypass this by `htmlspecialchars($_REQUEST['html_textarea'])` –  Jul 30 '13 at 06:51
  • Unless you execute user-input as php script from code it is plain string. You should be more worried about xss attacks. – Leri Jul 30 '13 at 06:52
  • 1
    May I know what exactly do you mean by "displaying the HTML inline"? Do you just want to display the HTML code or you want to display the rendered HTML? And you should be concerned not on PHP script running, but Javascript code running, like PLB said (XSS refers to cross-site scripting) – justhalf Jul 30 '13 at 06:53
  • Sample data ``? :) – Joachim Isaksson Jul 30 '13 at 06:53
  • Use 
     Tag to display. Along with htmlspecialcharacter
     – Vins Jul 30 '13 at 06:54
  • @Vins Have you ever shown web-site to customer where content was wrapped by `pre` tag and (s)he was happy? – Leri Jul 30 '13 at 06:58
  • I have updated the question with more details about my goal – 1.21 gigawatts Jul 30 '13 at 07:19
  • 1
    If you're going to allow to embed JavaScript anyways forget to Filter anything. When you're allowing javascript your developers will be able to insert malicious code either way. – thpl Jul 30 '13 at 07:32

3 Answers3

2

I would like to post HTML code to a PHP page and then display that HTML inline. Is that safe to do?

Not with your code. People could be tricked into submitting malicious HTML with JavaScript. See Cross Site Scripting.

Since it's a simple form could someone post a PHP instead of HTML?

echoing PHP won't have any significant effect. You would have to eval the submitted data for that to cause a problem.

It is malicious client side code you need to worry about. See What are the common defenses against XSS?

Community
  • 1
  • 1
Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
1

You should always escape you user's input with a white list. That goes for HTML (Javascript especially) also because you are open to XSS attacks if you don't do that.

So you could start to various escape functions php provides already. Better use a library than something you write on your own.

When in doubt about security in web development always consult with 

https://www.owasp.org/index.php/Main_Page
idipous
  • 2,868
  • 3
  • 30
  • 45
1

Your code is vulnerable to XSS-Attacks as you and others correctly noticed.

PHP's native functions won't be a too good help here since you want your HTML to be parsed.

I recommend you a whitelist. You need to strip any tags that are not listed on your whitelist. PHP comes along with strip_tags() where you can pass a string with allowed tags. But I would not recommend using it since it does not have any influence on the tags attributes which can contain malicious content. Example:

<?php
$whitelist = array(
    '<strong>',
);

$text = '<script>alert("This malicious code will never be executed!");</script><strong onclick="alert(\'But this will!\');">Some Text</strong>';
echo strip_tags($text, implode('', $whitelist));

?>

You can see that I added an onclick attribute to the strong tag which will show an alert. You also see that it's not an easy task to undertake when you want to allow certain tags.

You might want to write an own implementation of a Filter class which does what you want, or you search on the internet.

When writing your own, take a look at the DomDocument class. You will be able to access DOM Elements and it's attributes with it.

thpl
  • 5,810
  • 3
  • 29
  • 43