How to display user submitted text safely?

Question

I have a form with a text field a user can edit, which will create a page on the website containing the text entered. How can I ensure the resulting page doesn't show anything malicious, no links, images or code, just raw text? Currently from php I'm using htmlspecialchars(), and when displaying the text on the page it's within xmp tags. Is that enough, or should I explicitly do things like validating against script tags etc?

edit: This question is different to the suggested question, because I'm not using sql.

edit 2: I accepted strip_tags. I'm now validating user input from php with htmlspecialchars(strip_tags("input")), and wrapping in xmp tags when displayed.

welcome, anyway u entered this site, just view this q & a which is one of the most popular on this site ... http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php — user1844933, May 17 '15 at 12:00
Thanks. I'm not using sql, so the question you linked is not very useful. — jimmy, May 17 '15 at 12:55

score 0 · Answer 1 · answered May 17 '15 at 11:58

First of all: use prepared statments for your database storing, updating etc etc...

Second: You should escape the output using htmlspecialchars() function, It will just convert special characters to HTML entities, so if you put a script tag in there, It will not run.

Unless you want your users to post code just like here in StackOverflow, you can just use strip_tags() function as @user2182349 pointed out.

score 0 · Accepted Answer · answered May 17 '15 at 11:59

0

You can use strip_tags - it will remove everything in tags. http://php.net/manual/en/function.strip-tags.php

answered May 17 '15 at 11:59

user2182349

9,569
3
29
41

Thank you, I'm now doing htmlspecialchars(strip_tags("text")) as the php validation. – jimmy May 17 '15 at 13:03

How to display user submitted text safely?

2 Answers2