PHP: How to html-encode html-encoded data?

Question

I'd like to parse a RSS Feed and display the content on my website(php,html).

But I'd like to html-encode the feed to prevent xss attacks. But how do I do this properly?

1.) How can I html-encode an url so that it will work afterwards? If I use htmlspecialchars for an entiere url the url won't work anymore.

2.) The Titel of the RSS Feed is already html-encoded. But I'd like to do it again by myself to be sure there can't be xss content inside it. But how I can I html-encode already encoded html? If I use htmlspecialchars twice the html output will show the escape commands instead of the right symbol.

You can try `strip_tags()` http://php.net/manual/en/function.strip-tags.php or see this https://stackoverflow.com/a/48362353/2494754 — NVRM, May 20 '18 at 10:02

score 0 · Answer 1 · answered May 20 '18 at 11:51

Just give you a function that can remove xss. (not work at every situations)

function RemoveXSS(&$string, $low = false)
{
    if (!is_array($string)) {
        $string = trim($string);
        $string = strip_tags($string);
        $string = htmlspecialchars($string);
        if ($low) {
            return true;
        }
        $string = str_replace(['"', "\\", "'", "/", "..", "../", "./", "//"], '', $string);
        $no = '/%0[0-8bcef]/';
        $string = preg_replace($no, '', $string);
        $no = '/%1[0-9a-f]/';
        $string = preg_replace($no, '', $string);
        $no = '/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]+/S';
        $string = preg_replace($no, '', $string);
        return true;
    }
    $keys = array_keys($string);
    foreach ($keys as $key) {
        RemoveXSS($string [$key]);
    }
}

PHP: How to html-encode html-encoded data?

1 Answers1