1

I have an issue when i enter text i can enter html with the text.For example "I am entering text ". Now this link shows up as a link when the form is submitted. Any ideas on how to prevent this?

I am entering text <a href="xyz.com">Go to my site </a>. This is the input so when i output the data it comes out as I am entering text **Go to my site** with the hyperlink.
Aditya Shukla
  • 13,595
  • 12
  • 38
  • 36

5 Answers5

6

Put the string in htmlspecialchars() or strip_tags().

And, since I feel cleaning strings for other purposes will be the next question thrown out, I should bring up this: The ultimate clean/secure function

Community
  • 1
  • 1
Guttsy
  • 2,130
  • 1
  • 18
  • 29
2

You aren't going to easily be able to prevent a user from entering tags without javascript, but you can use

 strip_tags()

on the backend to remove them.

 htmlspecialchars()

will not remove these tags, it will just encode the special characters.

Brandon Frohbieter
  • 17,563
  • 3
  • 40
  • 62
0

Normally, you do not want to prevent this. You want to make sure it doesn't output HTML when you print it.

The way to do that is like so:

echo $_GET['text']; // this prints HTML links etc
echo htmlspecialchars($_GET['text']); // this does not
Jon
  • 428,835
  • 81
  • 738
  • 806
0

If I understood correctly, you want to prevent injecting HTML code. Use htmlspecialchars().

echo htmlspecialchars($_POST['myform']);
alexia
  • 14,440
  • 8
  • 42
  • 52
0

Sanitize your input data before displaying it. This is well knows as a Cross Site Scripting (XSS) attack. You can use htmlspecialchars() or string_tags() to clean the data.

Stephen P
  • 14,422
  • 2
  • 43
  • 67