0

I have created this code which has a basic HTML form and I tried to validate the user input as much as I could. However, when I try to input the code below, it still goes off. I saw guides which validate the form to not allow , but I do not know how to implement it in my form. 

<script>alert("hello")</script

Could you please give me a hint how to secure my HTML form from XSS attacks? I appreciate any help. Thank you in advance.

Here is my code so far:

<!DOCTYPE HTML>  
<html>
<head>
<style>
input[type=text], select {
  width: 100%;
  padding: 12px 20px;
  margin: 8px 0;
  display: inline-block;
  border: 1px solid #ccc;
  border-radius: 4px;
  box-sizing: border-box;
}

input[type=submit] {
  width: 100%;
  background-color: #004990;
  color: white;
  padding: 14px 20px;
  margin: 8px 0;
  border: none;
  border-radius: 4px;
  cursor: pointer;
}   

input[type=submit]:hover {
  background-color: #f9ba53;
}

div {
  border-radius: 5px;
  background-color: #f2f2f2;
  padding: 20px;
}   
.error {color: #d92c27;}
</style>
</head>
<body>  

 <?php
 // define variables and set to empty values
 $nameErr = $emailErr = $locationErr = "";
 $name = $email = $location = "";

 if ($_SERVER["REQUEST_METHOD"] == "POST") {
   if (empty($_POST["name"])) {
     $nameErr = "Name is required";
 } else {
     $name = test_input($_POST["name"]);
     // check if name only contains letters and whitespace
 if (!preg_match("/^[a-zA-Z ]*$/",$name)) {
     $nameErr = "Only letters and white space allowed";
   }
 }

 if (empty($_POST["email"])) {
    $emailErr = "Email is required";
 } else {
    $email = test_input($_POST["email"]);
    // check if e-mail address is well-formed
    if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
       $emailErr = "Invalid email format";
    }
 }

 if (empty($_POST["location"])) {
    $locationErr = "Campus Location is required";
 } else {
    $location = test_input($_POST["location"]);
    }
 }

 function test_input($data) {
    $data = trim($data);
    $data = stripslashes($data);
    $data = htmlspecialchars($data);
    return $data;
 }
 ?>

 <h1>University Student Form</h1>
 <div>
     <p><span class="error">* required field</span></p>
     <form method="post" action="<?php echo               
      htmlspecialchars($_SERVER["PHP_SELF"]);?>">
     <form 
  method="post"action="filtered.php/&quot;&gt;&lt;script&gt;alert('hacked')&lt;/script&gt;">  
<h2>Name:</h2> <input type="text" name="name" value="<?php echo $name;?>">
<span class="error">* <?php echo $nameErr;?></span>
<br><br>
<h2>Email:</h2> <input type="text" name="email" value="<?php echo $email;?>">
<span class="error">* <?php echo $emailErr;?></span>
<br><br>
<h2>Campus Location:</h2>
<input type="radio" name="location" <?php if (isset($location) && $location=="geneva") echo "checked";?> value="Geneva">Geneva
<input type="radio" name="location" <?php if (isset($location) && $location=="leiden") echo "checked";?> value="Leiden">Leiden
<input type="radio" name="location" <?php if (isset($location) && $location=="vienna") echo "checked";?> value="Vienna">Vienna  
<span class="error">* <?php echo $locationErr;?></span>
<br><br>
<input type="submit" name="submit" value="Submit">  
</form>
</div>

 <?php
 // Starting the session   
 session_start();

 echo "<h1>University Student</h1>";
 echo "<h1>Name: ".$_POST['name']. "</h1>";
 echo "<h1>Email: ".$_POST['email']. "</h1>";
 echo "<h1>Campus Location: ".$_POST['location']. "</h1>";

 // Removing all session variables
 session_unset();

 // Destroying the session
 session_destroy();

 ?>

 </body>
 </html>
Stevan Milic
  • 11
  • 3

0 Answers0