0

I'd make a HTML form, but my friend insert into the <input type="text"> a CSS markup, and it set my background color to pink. lol How can I avoid this? I need change my SQL INSERT string? There is a way to do this for JS too? Thanks

HTML

<div id="cadastro">
   <fieldset style="border:none;">
     <legend style="text-align:center;">
      <h1>SEJA UM MEMBRO IFBB</h1>
       <p class="sub-legenda">Filie-se e ajude o ifbb ser ainda mais forte.</p>
     </legend>
   <form enctype="multipart/form-data" action="#">
   <input type="text" class="nomeCadastro" placeholder="Nome" required>

        <br>
   <input type="email" class="emailCadastro" placeholder="E-mail" required>
</fieldset></div>

The CSS markup he inserted in <input type="text" class="nomeCadastro">:

<style>background-color:pink;</style>

I'm using PHP 5.

Luan
  • 109
  • 9
  • 2
    can you be more specific and show the code? – Anusha Honey Sep 16 '13 at 10:06
  • `strip_tags()` does not really solve the problem. It's only (bad) workaround. – Marcin Orlowski Sep 16 '13 at 10:09
  • There are two approaches. If you need to let your users send `html` using your form, then you want to filter input to let only those tags you would like to allow. If you want to forbid any `html` to be posted by users, you can escape everything they send when you output it back to page. In both cases you can rely on your server-side technology. If you're using `ajax` to load data you can use take a look at the 3rd answer [here](http://stackoverflow.com/questions/24816/escaping-html-strings-with-jquery). First 2 aren't safe (type 0 xss). – zaquest Sep 16 '13 at 10:17

1 Answers1

1

You just need to replace special characters like < & > with entities, to stop user provided data to behave like your markup. If user entered data goes to DB, then you fetch it and display and in that part you see the issue. If your backend is i.e. PHP then all data should be passed thru htmlspecialchars() prior displaying, which would solve your problem. See docs: http://php.net/manual/de/function.htmlspecialchars.php

Marcin Orlowski
  • 72,056
  • 11
  • 123
  • 141
  • In fact you should pass the data to `htmlspecialchars()` as soon as possible, so before even saving to database or showing the form again (e.g. on form fill error)! – djot Sep 16 '13 at 10:19
  • Wrong. You should not save it altered. You got no problem with saving data but with viewing (displaying) so you should work in the right context and this means in your view, not model. – Marcin Orlowski Sep 16 '13 at 10:30
  • Well, I have a original and cleaned up column, for directly viewing without ever forgetting to clean/sanitize ... and one, if I need the original (unchanged) data for other kind of (mostly non-web) outputs. In simplier context I prefer to only save and use the "cleaned" version. – djot Sep 16 '13 at 10:54
  • My point was you should not alter user entered data on save because that way you irreversibly loose original data and saving such data is not a problem (assuming you heard about sqlinjection :). What you say you do is exactly what I said. You got additional, pre-processed data, but you still have original data. So that's fine. – Marcin Orlowski Sep 16 '13 at 14:38
  • My point for this question was - for people who answer questions like this - the best way is to save the safe data ;) – djot Sep 16 '13 at 14:53