-1

I'm trying do a register page, user enter data into input and if that don't match my criteria i want to put his value again in his input box so him don't have to write it again.

I use htmlspecialchars to prevent xss.

$string_from_user = htmlspecialchars($_POST['string'], ENT_QUOTES, 'UTF-8');


echo '<input type="text" name="string" value="'.$string_from_user.'">';

Problem is...let's say i want to enter name: john"> My input box now will show: john&#34;> and the real value of input is: john&amp;#34;&gt;

How to make to show my input box to show: john"> but the real value to be an safe string to prevent xss

SOLVED

It seems there was another FILTER_SANITIZE_STRING on my code that i didn't noticed. I removed and now everything works very well.

/* this caused by problems.
$string = filter_input(INPUT_POST, 'string', FILTER_SANITIZE_STRING);
*/

$string_from_user = htmlspecialchars($string, ENT_QUOTES, 'UTF-8');

echo '<input type="text" name="string" value="'.$string_from_user.'">';
PHPCore
  • 121
  • 9
  • Try to *just* replace `"` with `"`. – h2ooooooo Feb 24 '14 at 12:34
  • Have you tried just `addslashes()` instead of `htmlspecialchars`? That way hopefully it will be shown correctly in the input box. – KristofMorva Feb 24 '14 at 12:34
  • take a look at html Purifier: http://htmlpurifier.org/ – Amir Bar Feb 24 '14 at 12:35
  • @h2ooooooo i would try that, but my `htmlspecialchars` is already replacing `"` with `&#34;` – PHPCore Feb 24 '14 at 12:36
  • @Quentin no, i'm trying to display back to user the original string him entered, but in the source page must be xss protected – PHPCore Feb 24 '14 at 12:39
  • @PHPCore — Your question seems to be predicated on "the real value" being "the HTML source code" and not "the value displayed to the user" … which is wrong. – Quentin Feb 24 '14 at 12:41
  • @PHPCore instead of editing question you could post it as answer and accept it. – krishna Feb 24 '14 at 12:49
  • If you've solved your problem, you need to answer your question below and accept it as the answer. Editing your question with the solution is not permitted. This is **not** a forum. – Michael Irigoyen Feb 27 '14 at 13:52

4 Answers4

0

Use htmlspecialchars_decode

http://php.net/manual/en/function.htmlspecialchars-decode.php refer to the manual for information on usage.

d.abyss
  • 204
  • 1
  • 4
  • 26
0

You should use 

$name=htmlentities($name);
echo $name;

htmlentities will be converted which you can view it in the pagesource of the page but to the end user it will appear clean

Abhinav
  • 8,028
  • 12
  • 48
  • 89
0

look at this library i think its more powerfull for you

OWASP's antiXSS specific library is at: http://code.google.com/p/php-antixss/

Ashouri
  • 906
  • 4
  • 19
0

It seems there was another FILTER_SANITIZE_STRING on my code that i didn't noticed. I removed and now everything works very well.

/* this caused by problems.
$string = filter_input(INPUT_POST, 'string', FILTER_SANITIZE_STRING);
*/

$string_from_user = htmlspecialchars($string, ENT_QUOTES, 'UTF-8');

echo '<input type="text" name="string" value="'.$string_from_user.'">';
PHPCore
  • 121
  • 9