This question already has answers here:
How to prevent XSS with HTML/PHP?
(9 answers)
Closed 4 years ago.
I'm using PHP. I'm attempting to prevent some XSS on my page. One test I'm running has this in the url params:
www.mypage.com?error=<script>alert(11170579)</script>&foo=one&bar=two
The errorr=... param is not coming from a form input. It's just inserted into the url.
How can I use Javascript to escape/decode the tags so the alert() does not execute? I did find a couple of examples of parsing the param values in the url, but none mentioned how to prevent or change the code so it did not run.
Thanks for any help.
Take a look at PHP's htmlspecialchars function. This seems to be what you want:
<?php
echo htmlspecialchars($_GET['error']);
?>
Related
This question already has answers here:
How to output HTML but prevent XSS attacks
(2 answers)
Closed 4 years ago.
I have comment system based on the forms and PHP catching POST. I'm trying to make some sort of formatting (bold, underscrores, italic...) but I'm using XSS protection: htmlspecialchars().
How to tell PHP not to parse and other tags? Is any JS editor which can edit text and send it as textarea?
Probably the safest way is to settle for something like markdown for the simple formatting and then convert that to HTML at the point of output.
If you want to use actual HTML, I would go for a whitelist approach of tags that you want to keep and using strip_tags with that whitelist as a first approach to it. Although using another format like markdown is probably the safer variant.
This question already has answers here:
What does "javascript:void(0)" mean?
(14 answers)
Closed 5 years ago.
In HTML you can write href="#" to prevent a page reload, however in php this doesn't appear to work. Is there an alternative?
It adds # to the existing url, but that's not what I want. I also don't want to remove the href since it replaces the cursor with a select text cursor, and I don't really want to be changing my css for what should be basic php.
I'm sure im just doing something wrong anyway. Thanks!
By using a hash you're attempting to tell the browser to navigate to an anchor on the page. If you want to cancel the default behavior and not modify your CSS simply void the anchor's behavior with Javascript:
...
There's a very good description of what this does and why you would use it here: What does "javascript:void(0)" mean?
Not be the best. But if I had this issue, I'll use onclick
texts
Online Preview
This question already has answers here:
What are the common defenses against XSS? [closed]
(4 answers)
Closed 9 years ago.
How do I get the url from the address bar and try to sanitize it to prevent cross side scripting?
For example in this link,
www.somesite.com/login/login.php
how do I prevent it from
www.somesite.com/login/login.php/"><h2>This%20is%20our%20cookie<h2>
<script>document.write%28document.cookie%29</script></h2>
Do I use the $_SERVER to get the url from address bar then what should I use to sanitize the link?
Thank you.
To obtain it, you can refer to $_SERVER['REQUEST_URI'].
If you want to append it to HTML, escape it using htmlspecialchars().
For url
$url = "http://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']
check this link for detail
http://www.phpeasystep.com/phptu/27.html
For sanitizing as rid said you can use
htmlspecialchars() (http://ca3.php.net/htmlspecialchars)
Instead you can use http://php.net/manual/en/function.preg-replace.php to sanitize the $url that you receive, by using that you can remove anything that comes after .php by replacing those using a empty string.
Also please have a look at this post.
Removing unwanted characters from URL in htaccess
If you want to sanitize the url on the server-side, use mysql_escape_string($_SERVER['REQUEST_URI']). Even more, use var_dump($_SERVER) to see all the values you can use and play around with them. Btw, why are you sanitizing the URL? What do you want to do with it? I assumed you wanted to put it into a database, but if you want to just remove all the html code from it, the browser will already do the escaping, so you don't really need to do it...
If you want to sanitize it on the client-side, that will make no point, since the attacker can always generate his own http request, using his own tools, not even using the browser.
This question already has answers here:
What is the difference between client-side and server-side programming?
(3 answers)
Closed 9 years ago.
I'm trying to connect to my SQL server via Javascript.
In order to do this, I have to execute some PHP code, but I'm having some trouble with that.
At the moment I use this code to execute a PHP script, without success
function testConnection()
{
$.get("script/SQL/testConnection.php");
}
How is it possible to execute some PHP code, or connect to the server and execute SQL queries?
Thanks
Matt
That $.get call you have is a relative URL. Let's say your user is on page domain.com/home/. If you use that code block, the user's browser is going to make a GET request to domain.com/home/script/SQL/testConnection.php. Is that what you are expecting?
What HTTP status code are you receiving back?
This question already has answers here:
How to prevent XSS with HTML/PHP?
(9 answers)
Sanitizing HTML input
(5 answers)
Closed 9 years ago.
I want to provide an HTML editor on my site, but don't want to open myself up to xss or other attacks that come with allowing user-generated HTML.
This is pretty similar to what Stack Overflow does. How is the HTML checked/sanitized here so that the styling information still remains, while other, more dangerous stuff (like javascript, iframes, etc.) are kept out?
Are there any libraries (preferably in PHP) that already do this?
PHP has a function strip_tags that strips HTML and PHP tags from a string, and allows you to specify certain allowable tags. But as #webarto states, there are libraries that do this better.
From the PHP Manual.
Your can use
strip_tags($yourData,"<a><p><div><i>") // more tags you want to keep;
If your using SQL too use
mysql_real_escape_string($data);
This is really all you need to not get injected. Do keep in mind, when using mySQL real escape you need to use strip slashes to remove them when you echo them out.
Here are the docs for strip tags and the docs for mysql escape.
If you wish to allow some (X)HTML and restrict only tags viewed as unsafe, you can use something like KSES. Wordpress uses a solution like this.
http://sourceforge.net/projects/kses/
In addendum to Whymarrh's post, suggestion is to have the code work take place in a subfolder of your site, and auto-alter any code that has "..", or "http://" or any mysql commands.