0

I have written a simple contact form script and am trying to add XSS validation to it using the method described on W3School. Unfortunately it doesn't work as if I enter a "<" in one of the fields and then submit, it comes out as "<" when I receive it via email.

Can anyone suggest what I'm doing wrong?

Data collection section

$name = $co = $email = $tel = $message = "";

if ($_SERVER["REQUEST_METHOD"] == "POST"){
$name = test_input($_REQUEST['name']);
$co = test_input($_REQUEST['company']);
$email = test_input($_REQUEST['email']);
$tel = test_input($_REQUEST['tel']);
$message = test_input($_REQUEST['message']);
}

Data testing function

function test_input($data) {
  $data = trim($data);
  $data = stripslashes($data);
  $data = htmlspecialchars($data);
  return $data;
}

Many Thanks

Tessa
  • 163
  • 1
  • 1
  • 13

1 Answers1

0

Maybe your email client is configured to show the email as HTML. htmlspecialchars will convert < to &lt; Try to display your email as plain text.

dev0
  • 1,057
  • 8
  • 22
  • Thanks for the suggestion. I set Outlook to read messages as plain text but the "<" symbol was still showing. – Tessa Oct 13 '15 at 19:59
  • I don't see any problems in the code you provided. Maybe some reconverting happens before sending the email? You might be better off using `$_POST` instead of `$_REQUEST`. – dev0 Oct 13 '15 at 20:31
  • Thanks, I tried both $_POST and $_REQUEST and it had the same outcome however I think you're right. I think what's happening (from the message I'm getting from Outlook) is that it's retrieving the message as HTML and then converting it to plain text which I imagine causes the "<" to be converted anyway. – Tessa Oct 20 '15 at 19:25