This is one of my forms(PHP+MySQL, textarea replaced by TinyMCE). It records description with paragraphs, bullets, headings and text alignment (right, left, center and justify).
Once submitted, the record appears as
<p style="text-align: justify;"><strong>Introduction</strong></p>
<p style="text-align: justify;">The death of the pixel leaves you with a flowing, magazine-quality canvas to design for. A canvas where curves are curves, not ugly pixel approximations of curves. A canvas that begins to blur the line between what we consider to be real and what we consider to be virtual.</p>
<p style="text-align: justify;">It wasn't too long ago that there was one set of rules for use of type on print and use of type on screen. Now that we have screens that are essentially print quality, we have to reevaluate these conventions.</p>
<p style="text-align: justify;">Web sites are transforming from boring fields of Arial to embrace the gamut of typographical possibilities offered by web fonts. Web fonts, combined with the style and layout options presented by the creative use of CSS and JavaScript offer a new world of typographic oppor</p>
<ol>
<li style="text-align: justify;">point 1</li>
<li style="text-align: justify;">point 2</li>
<li style="text-align: justify;">point 3</li>
</ol>
I read that you need to sanitize any data that goes into the database to avoid XSS and started looking for a solution.
The solution I found is to use "htmlspecialchars()" (Source: Lynda.com - Creating Secure PHP Websites).
So, the tutorial says that we need to sanitize our input before saving to the database and use something like (sample code)
<?php
if($_SERVER['REQUEST_METHOD'] === 'POST') {
$category_description = $_POST['category_description'];
echo $category_description;
echo '<br><br>';
echo htmlspecialchars($category_description);
echo '<br><br>';
echo htmlentities($category_description);
echo '<br><br>';
echo strip_tags($category_description);
}
?>
to avoid XSS.
I get it till here. The htmlspecialchars() function converts some predefined characters to HTML entities, htmlentities() converts characters to HTML entities and strip_tags() removes any tags altogether.
But after using htmlspecialchars(), htmlentities() and strip_tags(), the output now renders as
which I believe is safe but doesn't looks good on the front page when fetched from database.
How do I render an input which has been passed through htmlspecialchars or htmlentities?
My suggestion is to build a function to sanitize all your text inputs and a function to check all your outputs that comes from the database or any other sources, like following:
<?php
// filter for user input
function filterInput($content)
{
$content = trim($content);
$content = stripslashes($content);
return $content;
}
//filter for viewing data
function filterOutput($content)
{
$content = htmlentities($content, ENT_NOQUOTES);
$content = nl2br($content, false);
return $content;
}
depending on your strategy, you might added extra features to the filter or remove some. But what you have a function here is enough to protect you against XSS.
EDIT: in addition to above function, this answer might also be relevant in part of your website protection.
Reference to the different methods:
- trim: http://php.net/manual/en/function.trim.php
- stripslashes: http://php.net/manual/en/function.stripslashes.php
- htmlentities: http://php.net/manual/en/function.htmlentities.php
- nl2br: http://php.net/manual/en/function.nl2br.php
It is also a good idea to look at following links:
And importantly it is good to be aware of Top 10 risks and learn more about it.
I am not sure wether this is the right approach to the problem or not but I found a function "htmlspecialchars_decode()" in the php manual. The manual says it does exactly the opposite of "htmlspecialchars()". I tried and it works well.
The html_entity_decode() function is the opposite of htmlentities().
I have used HTMLPurifier which is a PHP filter library to sanitize HTML input.
来源:https://stackoverflow.com/questions/33411455/sanitizing-input-but-output-not-as-expected