How to rescrict a JavaScript script being inserted in the database with PHP?

Question

I have one problem regarding the data insertion in PHP.

In my site there is a message system.

So when my inbox loads it gives one JavaScript alert.

I have searched a lot in my site and finally I found that someone have send me a message with the text below.

<script>
  alert(5)
</script>

So how can I restrict the script code being inserted in my database?

I am running on PHP.

Answer 1

There is no problem with JavaScript code being stored in the database. The actual problem is with non-HTML content being taken from the database and displayed to the user as if it were HTML. The correct approach would be to make sure your rendering code treats text as text, not as HTML.

In PHP, this would be done by calling htmlspecialchars on the inbox contents when displaying the inbox (possibly along with nl2br and maybe turning links to <a> tags).

Avoid using striptags for text content: as an user, I might want to type a message like:

... and to create a link, use <a href="your-url-here">your-text-here</a> ...

striptags would eliminate the tag, htmlspecialchars would make the text appear as it was typed.

Answer 2

You should not restrict it to be inserted into the database (if StackOverflow would restrict it, we would not be able to post code examples here!)

You should better control how you display it. For instance, add htmlentities() or htmlspecialchars() to your echo call.

Answer 3

This is called XSS. There are numerous threads about it on SO.

• How to prevent XSS with HTML/PHP?
• What are the best practices for avoid xss attacks in a PHP site?
• XSS Attacks Prevention
• Is preventing XSS and SQL Injection as easy as does this…?

Answer 4

User input should be escaped before outputting it.

Whenever you're displaying something a user submitted, run it through htmlspecialchars() first. This'll turn HTML code into safe output.

Answer 5

You should use strip_tags. If you still want to allow some HTML, then add a whitelist in the second parameter.

I should add a really big caveat here. If you're leaving any tags in a strip_tags whitelist, you can still be susceptible to javascript injection. Assume you're allowing the seemingly innocuous tags <strong> and <em>:

Strip tags will still allow all attributes, including event handlers
like <strong onmouseover="window.href=http://mydodgysite.com">this</strong>.

You have a couple of serious options:

• strip_tags with no whitelist. Safe, but doesn't allow for any formatting, and may cause problems with strings like this: "x<y, but y>4" --> "x4"
• htmlentities. Use this when displaying the data on the screen (not on the data before you put it in the database). It's safe, but doesn't allow for formatting.
• A different markup system than HTML, for example: Markdown, Wiki markup, BB Code. Requires rendering to convert back to HTML, but it's mostly safe and can be quite flexible.

Answer 6

Take a look at the htmlspecialchars() function. It converts < > ' " and & to their html entity equilivents, meaning <script> will become <script>

Answer 7

You can use strip_tags(). The second argument of this function will allow you to list an explicit list of which tags are allowable:

// Allow <p> and <a>, <script> will be stripped
echo strip_tags($text, '<p><a>');

You may also consider htmlspecialchars(), which converts characters like < into <, causing the browser to interpret them as text, rather than code:

$new = htmlspecialchars("<a href='test'>Test</a>", ENT_QUOTES);
echo $new; // &lt;a href=&#039;test&#039;&gt;Test&lt;/a&gt;

Answer 8

If I understand you right, you're just looking for two simple commands:

$message = str_replace($message, "<", "&lt;");
$message = str_replace($message, ">", "&gt;");