0

When i Input.:

<script>alert("XSS")</script>Cleaning Test

My output should be

Cleaning Test

but i get same as input <script>alert("XSS")</script>Cleaning Test

can someone help me to solve this problem and tried a lot but doesn't works i need to check my htmlpurifie is working

this is my code 

<?php

require_once 'htmlpurifier/library/HTMLPurifier.auto.php';


ini_set("display_errors", 1);
error_reporting(E_ALL);

define('DB_SERVER', "localhost");
define('DB_USER', "sanoj");
define('DB_PASSWORD', "123456");
define('DB_DATABASE', "test");
define('DB_DRIVER', "mysql");


$country = filter_input(INPUT_POST, 'title');
$dirty_html = filter_input(INPUT_POST, 'wysiwyg');

$purifier = new HTMLPurifier();
$clean_html = $purifier->purify($dirty_html);

try {
    $db = new PDO(DB_DRIVER . ":dbname=" . DB_DATABASE . ";host=" . DB_SERVER, DB_USER, DB_PASSWORD);
    $db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

    $stmt = $db->prepare("INSERT INTO final(title, wysiwyg) VALUES (:title, :wysiwyg)");

    $stmt->bindParam(':title', $country, PDO::PARAM_STR, 100);
    $stmt->bindParam(':wysiwyg', $clean_html, PDO::PARAM_STR, 100);

    if ($stmt->execute()) {
        echo '1 row has been inserted';
    }

    $db = null;
} catch (PDOException $e) {
    trigger_error('Error occured while trying to insert into the DB:' . $e->getMessage(), E_USER_ERROR);
}
?>
sanoj lawrence
  • 73
  • 8
  • Since the HTML Purifier demo is returning your expected value and I see nothing immediately wrong about your use of HTMLPurifier, I need to ask (even though it might be a stupid question): Are your dirty and subsequent clean HTML both `<script>alert("XSS")...`? Judging from your variable names, you're inputting information from a WYSIWYG. Did you type ` – pinkgothic May 24 '15 at 10:11
  • The reason I'm asking is because that would not be inherently dangerous, and it would be correct for HTML Purifier to leave it as it is. `<script>alert("XSS")...` is HTML escaped - as long as you don't `htmlspecialchars_decode()` before you output it, you're good. (In that case, **remember to use `htmlspecialchars()` if you're going to load it back into the WYSIWYG, though.**) – pinkgothic May 24 '15 at 10:14
  • See also this answer: http://stackoverflow.com/a/26128263/245790 – pinkgothic May 24 '15 at 10:16

0 Answers0