I am trying to figure out how to filter special characters out of URLs to prevent HTML injection.
For example, our wordpress site has a search on it where you can alter the URL to have:
?s=<h1>Something went wrong, please click the logo below to try again</h1><a
href=https://google.ca><img src=/wp-content/uploads/2022/09/footer-logo-dark.svg></a>
And this will create a page that has a link to google, and I am trying to prevent the use of < and > within URLs.
Everywhere I look says to alter htaccess or use urlencode, but my rewrite rules did not work, and I cannot figure out how urlencode works (or if it is appropriate here).
Is this possible?
Related
I've tried to search for the best way to handle links on a dynamic website when using "Clean" or "Pretty" URLs, but have not been able to find anything.
I've found a LOT of information on how to use mod_rewrite and try_files, which I've implemented successfully, now my php front controller parses all the parameters on a URL, and it links to the page correctly. No problem here.
The issue I'm having is how to best build all the links on my pages. Currently my links are all in the format eg. "www.site.com?do=post&id=23" which works fine. However I'd like them to display as "www.site.com/post/23" which already also works fine, because of try_files, and how my front controller parses all the parameters from the URL.
However do I now go through all my code and change all the dynamically built links to build in the "www.site.com/post/23" format? It seems like a lot of work, and to be honest I'd like to leave it an "option" to either use Clean or Dirty URLs, similar to how Wordpress allows it as an option in their Admin panel.
Do sites like that keep links in the format "www.site.com?do=post&id=23" and use a rewrite function on all the links when the page is created? So the links show up as Clean when the user sees it?
I'm confused as the best way to handle this, and hope I explained what I'm looking for. I just want to know how best to handle the dynamic links and have it optional to display as clean or dirty url format, for lack of a better word.
Thanks for any help.
That's a very conceitual question...
You could see how Laravel framework router works.
You do not need to use it, but you can get ideas there.
The router class is responsible of know how to create a url to some resource, page, action, whatever you want.
So in your view you just call a method that return the url.
So, I've just installed a code pasting utility on my website (like PasteBin basically, but using the open source PASTE script).
At the moment, a paste will be saved in the SQL database, with an integer ID.
The paste utilities directory is http://example.com/paste, and pastes can be found at http://example.com/paste/12345.
What I'd like to do, is create an htaccess rule so that when the user clicks on http://example.com/12345, they will be taken to http://example.com/paste/12345.
I've looked around at other questions, but none seem to ask (or solve) the same sort of question. But I could have looked in the wrong place, and someone will have a link to an answer within minutes of me posting. That would be equally great, but I'd prefer a more tailored solution, if possible.
NOTE: If anyone just wants to change the clickable link from http://example.com/paste/12345 (for example) to http://example.com/p/12345 without changing the actual subfolder name, check out my comment in the Accepted Answer. Otherwise, Dope Monk's solution will work fine for my initial problem.
You will need to have a simple rule in your .htaccess using mod_rewrite. However, you must ensure that mod_rewrite is enabled when you use this rule
Add this:
RewriteRule ^/([0-9]+)/$ /paste/$1 [NC,L]
Hi i want to make safe urls for a website. I used php's explode function that way
$explode = explode("/",$_SERVER['REQUEST_URI']);
I then was extracting with $explode[2] etc the names inside the url and then with sql statements combined them with the db took ids, names and whatever else. Entered url was like
http://www.example.com/index.php?var1=value1&var2=value2&var3=value3
and made it
http://www.example.com/value1/value2/value3 through .htaccess.
Code there is
RewriteRule ^(.*)/(.*)/(.*)$ index.php?var1=$1&var2=$2&var3=$3 [L]
But the site's php is already written fully so i do not want to change all GET queries at url cause now are not working. Is there an easier way to do so or can you correct the code so i can use again GET functions above? I forgot to mention at url value1,value2 etc are not ids (numbers) but the corresponding names. For example if it is for a furniture the url is
www.example.com/furniture/chair/.. not www.example.com/3/24/...
Is there any other way to succeed this functionality? Thanks.
I'd say you might also be looking for something like
PHP dynamic DB page rewrite URL
Which will gather any and all variables from a URL and you can use them accordingly from there on in. It would be using htaccess and a similar logic to what your wanting to do, less the rewrite rule the way you have it now.
A scurity report for my website show this vulnerability:
Relflected XSS:
Request: GET http://example.com/page.php?q=< wslite > HTTP/1.1
what is the meaning of this error, what is the meaning of <wslite>? and how can I solve this problem?
thanks
It means there is a GET vulnerability within the ?q section of your site. They can implant code there. Try visiting your site with ?q=<u>XSS</u>, and it should bring up the word XSS (underlined) somewhere within the page. These can be very dangerous. So ensure you sort it out. Update whatever CMS you are using, or use htmlentities() in PHP to ensure the user cannot insert HTML.
Currently my site's URLs are:
http://www.domain.com/accreditation_training_view.php?id=1
I would like the URL to be the page's title from the database instead. In the table, the title of the page is simply the 'title' column.
The page title is: "DISC Accreditation"
I would like the URL to look like this:
http://www.domain.com/disc_accreditation
Some pages have the '&' symbol in them. I would like them replaced with the word 'and'. I would like any uppercase letters reduced to lowercase.
I am just not sure the best way to attack the htaccess and corresponding php code. I have seen other examples on this site, but nothing exactly like this.
Any help is greatly appreciated.
Scott
I can't see any way to do it regularly by .htaccess because you need to get the page title (which is in the content of your site, where .htaccess can't access).
Yet, if you are using any CMS or framework (Wordpress, Joomla!...), there may be url-rewriting included (or via plugins), have a check !