1

I have some questions about how to avoid Xss injection and remove tags:

I'm using sommernote and I want to allow some tags like <br>, <p>, <strong>, etc.. I could use the function strip_tags() but if someone writes the symbol greater (>) or less (<), for instance:

(4 > 5).

This is removed and I want to keep it.

Besides, I need to know the correct length of the text that was entered because I don't want to allow more than N characters, let's say no more than 300 characters. In order to get this I would use strip_tags() but the string is truncated as I mentioned before. How can i do this?

Obviously, I want to avoid XSS injection so I would use htmlentities(strip_tags(string), ENT_QUOTES) to save in DB and when I want to show the content in the main page i would use html_entity_decode(string), is that enough to avoid it?

Thanks in advance

David
  • 169
  • 5
  • 14
  • I would suggest using [HTML Purifier](http://htmlpurifier.org/). When implementing security measures, you'll be better off using an extensive and well tested library instead of creating something on your own. – Cafe Coder Nov 11 '14 at 11:37

1 Answers1

2

Don't use strip_tags! If a user tries to enter something like The bob said <the-secret>, it will be stripped! htmlentities is unnecessary. You want htmlspecialchars:

$input = "<script>alert('ur screwed')</script>";
echo htmlspecialchars($input);

Returns &lt;script&gt;alert('ur screwed')&lt;/script&gt;. Decode with htmlspecialchars_decode.

bjb568
  • 11,089
  • 11
  • 50
  • 71
  • Actually, I wanted to say htmlspecialchars(), I got confused. My question is if i use htmlspecialchars_decode() to show in the main page I would be written the original sentence, in this case: `` or I'm wrong? – David Apr 18 '14 at 03:15
  • You don't need to decode (normally). Store as written in DB, when it comes out do a htmlspecialchars. – bjb568 Apr 18 '14 at 03:18
  • Ok, but i would like to show if someone writes `something` because I'm using sommernote, if I save with htmlspecialchars(), I'll have to show with htmlspecialchars_decode() so that it can be pretty on the browser. – David Apr 18 '14 at 03:47
  • That will be an additional complication **after** you encode the data. Don't encode the data before going into the DB, do it after. [This](http://stackoverflow.com/questions/21792609/parse-html-user-input) might help (and be confusing). – bjb568 Apr 18 '14 at 03:48