This question already has answers here:
How to output HTML but prevent XSS attacks
(2 answers)
Closed 4 years ago.
I have comment system based on the forms and PHP catching POST. I'm trying to make some sort of formatting (bold, underscrores, italic...) but I'm using XSS protection: htmlspecialchars().
How to tell PHP not to parse and other tags? Is any JS editor which can edit text and send it as textarea?
Probably the safest way is to settle for something like markdown for the simple formatting and then convert that to HTML at the point of output.
If you want to use actual HTML, I would go for a whitelist approach of tags that you want to keep and using strip_tags with that whitelist as a first approach to it. Although using another format like markdown is probably the safer variant.
Related
This question already has answers here:
How to prevent XSS with HTML/PHP?
(9 answers)
Closed 7 years ago.
I know this type of question is not generally allowed, but I cannot find an answer anywhere.
Is SQL injection protection necessary even if you're not using databases/MySQL?
If I have a basic mail form in PHP that sends things to my email do I need to protect that form?
If you're not using a database then no, you don't need to protect against attacks that exploit database queries. Emails have a whole set of exploits of their own and I recommend using a library such as phpmailer or swiftmailer which will help with this. Either way, you should always verify that the data submitted from the form is in the format you expect it to be.
You need XSS protection for mail forms. You don't want a user being able to inject javascript and such into an email. A simple way to prevent XSS is to use htmlentities() to disallow HTML tags such as <script>..</script> in the user input. htmlentities converts a tag like <script> to <script>
This question already has answers here:
Preserve and display text exactly how it is typed and submitted
(2 answers)
Closed 8 years ago.
** Update - following the link that deceze kindly posted to a similar question lead me to a great article by deceze here The Great Escapism which gave me all the answers I needed. To anyone finding this question due to similar issues I urge you to read this article **
I'm allowing users to enter information through a textarea on my site.
I'm aware that there is a security risk whenever a user can enter information into a site.
I want to be able to preserve whitespace / newlines from their entry but I'm also mindful of stripping HTML tags etc out of their input.
I have written a function that replaces \r\n with <br/> before the data retrieved from the database gets outputted to the browser (I also stripslashes before I output to the browser).
I have a function that will strip out HTML tags from the entered text that I can run before putting the user entry into the database.
I'm unsure if this is all that I need to do? Does anyone have either a list of checks I need to do before putting user-entered info into the database and then before displaying it in a browser? Or even a set of sanitising functions that they use for this?
I've looked at esc_html() and sanitize_text_field() and filter_var($output, FILTER_SANITIZE_STRING, FILTER_FLAG_NO_ENCODE_QUOTES) but I'm really unsure when I should be using what function?
Help much appreciated :-)
You can use mysql_real_escape_string() to prevent sql-injection. You can find a good basic tutorial here
This question already has answers here:
How can I sanitize user input with PHP?
(16 answers)
Closed 8 years ago.
For global safely, is it safe to to use htmlspecialchars or striptags when user POST or GET in php ?
for example, htmlspecialchars any post and get that sent by request and save that to the database
For displaying purposes you could just use htmlspecialchars() or htmlentities() to ward of the common XSS attacks.
It is not suggested to strip_tags() the data (unless it is really neccessary) , because that may lose all formatting if the user had provided any.
I would do sanity-checks depending on what you're expecting to get.
A good reading (like always) is the OWASP cheat-sheet: https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet#XSS_Cheat_Sheet
If you're expecting plain text, always use htmlspecialchars() when showing it by the web-client. Some template-engines, like Twig, already do that by default. For this case, I wouldn't do any checks when saving to the database, because you may need to encode it differently for another client later - and you expect it to be plain-text, right?
If the user has an RTE and can make use of HTML, I'd use strip_tags() or a method like used in other frameworks. An example is http://svn.openfoundry.org/wowsecmodules/trunk/filter/RemoveXSS.php. TYPO3 also has a pretty good one that you can view by downloading the package and looking into typo3/contrib/RemoveXSS/RemoveXSS.php
A workaround would be to use stuff like BB-Code or Markdown, handled as plain-text, that is later compiled to HTML in your code, but this mostly confuses the editor, if he isn't used to stuff like that.
What I do not recommend at all, but it's possible is to let the browser do the job - see XSS Basic Understanding
EDIT:
The two libs, I linked here for removing XSS from HTML-data, are both based on the same one, but have been forked into different projects and the communities applied fixes and so on. The goal of this method is like yours, even so I do not support it, because it sounds like a one-size-fits-all solution:
Usage: Run *every* variable passed in through it.
* The goal of this function is to be a generic function that can be used to
* parse almost any input and render it XSS safe. ...
Why I am against running this method on every input-variable? You do not think about what you really want to get. Maybe you just want plain-text ... In this case, as I wrote earlier here, you don't need to do that, but just use htmlspecialchars() when showing it in an HTML context.
This question already has answers here:
How to prevent XSS with HTML/PHP?
(9 answers)
Sanitizing HTML input
(5 answers)
Closed 9 years ago.
I want to provide an HTML editor on my site, but don't want to open myself up to xss or other attacks that come with allowing user-generated HTML.
This is pretty similar to what Stack Overflow does. How is the HTML checked/sanitized here so that the styling information still remains, while other, more dangerous stuff (like javascript, iframes, etc.) are kept out?
Are there any libraries (preferably in PHP) that already do this?
PHP has a function strip_tags that strips HTML and PHP tags from a string, and allows you to specify certain allowable tags. But as #webarto states, there are libraries that do this better.
From the PHP Manual.
Your can use
strip_tags($yourData,"<a><p><div><i>") // more tags you want to keep;
If your using SQL too use
mysql_real_escape_string($data);
This is really all you need to not get injected. Do keep in mind, when using mySQL real escape you need to use strip slashes to remove them when you echo them out.
Here are the docs for strip tags and the docs for mysql escape.
If you wish to allow some (X)HTML and restrict only tags viewed as unsafe, you can use something like KSES. Wordpress uses a solution like this.
http://sourceforge.net/projects/kses/
In addendum to Whymarrh's post, suggestion is to have the code work take place in a subfolder of your site, and auto-alter any code that has "..", or "http://" or any mysql commands.
This question already has answers here:
Closed 11 years ago.
Possible Duplicate:
How to encrypt HTML, CSS and JavaScript to prevent theft
Is there any technique in PHP language, or some software available to encrypt the html code that is seen while clicking on view source and view generated source on browsers.Can the code be encrypted to binary strings ie( 0 and 1) format.
No. The browser needs valid HTML to display the document. There is no way to encrypt HTML.
The whole world is serving pages that are not encrypted, so it stands to reason it's not necessary, either.
People will always be able to get to your html - even if you did find some way to obfuscate / hide it, maybe using javascript, anyone can always use wget or similar to view it.
No. You can obscure it a bit, but in the end your browser needs to read it, and it reads HTML.
In a word: no. You can make the HTML ugly by removing whitespace, but the browser needs to be able to read it! You can obfuscate your Javascript pretty darn well by removing whitespace and newlines and using short or crazy variable names: for example see here.