I am trying to do some htmlentities. However, the hyperlinks are now broken due to them being converted to the html codes, wanting to do this as for some stupid reason the university has given us all the same password for the servers.
Last year I almost failed as someone went onto my server and filled with the javascript and css hacks, so this will prevent it, however it's not much use if the hyperlink won't work, so how do I prevent this? Here's the code I have so far for this specific area:
$sub = substr($row['content'],0,300).'.......... See full article';
echo htmlentities($sub,ENT_QUOTES,"UTF-8");
If anyone can help, it's much appreciated, thanks.
I think you're applying htmlentities() on too much of your output. Just do it like this:
<?php echo htmlentities(substr($row['content'],0,300)).
'…See full article'; ?>
Don't apply htmlentities over the whole link, but on the values you actually want to escape, like this
$sub = htmlentities(substr($row['content'],0,300), ENT_QUOTES, 'UTF-8') . '.......... See full article';
echo $sub;
Related
I use html entities to secure my site.
And my client want to add link in his post using the CMS.
how to make exception in html entities?
my code example:
<p><?php echo h($row['message']) ?></p>
//h is my function for htmlentities
My code display this message:
"You can click this link Link"
//And I dont know my data insert '\'
//It become Link
If my question is not clear please ask.
Really appreciate.
I believe what you want to do is pass into the DB with htmlentities() so it doesn't mess with your DB. To retrieve them you would use html_entity_decode(). The html_entity_decode() converts all strings with HTML entities back to there original string.
http://php.net/manual/en/function.html-entity-decode.php
Hopefully this answers your question.
Edit:
Raw data retrieved: http://www.example.com
Through htmlentities it spits out the HTML entities, which the browser cannot interpret when attempting to find that page. The use of htmlentities() (please if I'm wrong correct me) is to encode user input before passing it anywhere else.
User input: <script>hacks</script>
Passed though htmlentities:
<script>hacks< (whatever backslash is)script>
(This way it can't mess with anything in your database, better example is the use of PHP/MySQL but I'm not well versed to give that exact example at the moment.)
However this would expose your site when decoding it as well and other precautions would have to be taken.
Try this :
<?php
$link = h(stripslashes($row['message']));
?>
You can click this link <a href='<?php echo $link; ?>'>Link</a>
Fetch data from mysql.
Then echo with echo htmlspecialchars( $content['MainText'] , ENT_NOQUOTES, "UTF-8");.
Tried to echo without htmlspecialchars javascript like <script> alert('Hello');</script> and saw pop up box. So it is not good to echo without htmlspecialchars.
But with htmlspecialchars can not correctly display hyperlinks and images and also <h2>, <span> etc. Also not acceptable.
At the moment tried to replace some characters like
$content_main_text_modified =
str_replace(
array( '<br/>', '<br>', '</a>', ">", '<a', '<div', '<img', '</div', '<h2', '</h2', 'amp;amp;', '<span', '</span' ),
array( '<br/>', '<br>', '</a>', ">", '<a', '<div', '<img', '</div', '<h2', '</h2', '', '<span', '</span' ),
( htmlspecialchars( $content['MainText'] , ENT_NOQUOTES, "UTF-8") )
);
echo $content_main_text_modified;
My idea is not to replace sole < with <, but instead to replace < together br, a, <h2. So if in mysql would be like <script> it would not execute.
Want to check (get opions) if my idea is safe idea? And possibly some recommendations.
I think a different idea would be to stop it being stored that way in the first place so that you can just echo it. What you are referring to is an xss attack where someone can enter JavaScript that can then be executed on another users browser take a look at this link for more detailed information about xss click here.
As for a way to remove it what I would do is some form of validation on the imputed data there are so many ways to do this I would suggest reading the link above and that will give you an idea how to stop it and mean you can then just do a simple echo. Doing validation like this will also help to prevent sql injection attacks although that will require some more work.
This wont work every time and some people also suggest that you use htmlspecialchars but when you are working with html this causes issues as you know, you just have to make your best attempt no system can stop everything.
Not knowing exactly what your are doing it is impossible to say but you might find it useful to use some kind of template engine so the HTML is sepperate from the code and you can use the function htmlspecialchars() as you can then just pass out text to the template.
Take a look at http://htmlpurifier.org/ and the HTML.Allowed directive; where you can set tags that are allowed.
Use strip_tags($content['MainText'], '<a><h2><div><span><br><img>');
Or you can use htmlspecialchars then use this preg_replace('#<(/?(?:a|h2|div|span|br|img))>#', '<\1>', $html);, for example:
$content_main_text_modified = htmlspecialchars($content['MainText']);
$content_main_text_modified = reg_replace('#<(/?(?:a|h2|div|span|br|img))>#', '<$1>', $content_main_text_modified);
http://au1.php.net/manual/en/function.strip-tags.php
I am not able to figure out how to get an HTML out of a simple quoted_pritable_decode command.
Consider the following code from w3schools.
$str = "Hello=0Aworld.";
echo quoted_printable_decode($str);
The output for this code is:
Hello world.
However, when I view the source it is:
Hello
world.
Well, I am trying to figure out if there is a simpler way to get the second output. I would like to store it in my database in HTML format. I am aware of way arounds like replacing the encoded part, however, is there a recommended way here?
Edit 1:
Both the answers are perfectly fine and a precise explanation from Xavier was great. Since, I just have to mark one as correct, I mark the one which I believe is more precise.
You could use nl2br() encapsulating that when you are storing it into your table.
<?php
$str = "Hello=0Aworld.";
echo nl2br(quoted_printable_decode($str));
Change your code to:
$str = "Hello=0Aworld.";
echo "<pre>" . quoted_printable_decode($str) . "</pre>";
What you echo is being interpreted as pure HTML, and HTML doesn't honor newlines, except when you use tag. You also could do a echo str_replace('\n','<br>',quoted_printable_decode($str)); (i.e. AFTER decoding)
I'm quite new here. I'm trying to make a blog/journal site that allows users to post their own journal. I'm still quite reluctant on making it because I am really afraid of malicious code injections.
So here's a sample code:
<?php
$test = "<b>blah</b>"; //User input from SQL
echo "$test";
?>
What will come out is just the word "blah" in bold right? What I was trying to achieve was to echo "<b>blah</b>" instead. I don't want people to put some PHP codes that can actually mess up my whole web page. Please keep in mind that the variable $test is actually a MYSQL query, so that variable will be needed as an example. I know you can do echo '$test'; but it just comes out as "$test" instead. I feel like pulling my hair out I can't figure it out yet.
The second solution I know of is the htmlspecialchars(); function, but I want the strings to display as what I typed, not the converted ones...
Is there any way I can do that?
I think the OP wants the HTML itself to be output to the page, and not have the tags stripped. To achieve this, you can run the string first through htmlentities()
$test = '<b>blah</b>';
echo htmlentities($test);
This will output:
<b>blah</b>
Which will render in the page as
<b>blah</b>
Echo don't execute PHP code from string. This is impossible and this is not security hole in your code.
You can use a template engine like Twig for exemple.
If htmlspecialchars(); is not the one you are looking for, try the header() option.
header('Content-type: text/plain');
When you are gonna give <b>Hi</b> to a browser, it will be displayed in Bold and not the text be returned. But you can try this way, outputting it inside a <textarea></textarea>.
Or the other way is to use htmlentities():
<?php
$test = "<b>blah</b>"; //User input from SQL
echo htmlentities("$test");
?>
So I'm trying to do something extremely simple, and after reading through forums, and researching on google I still can't figure out why this is not working. But this is mostly like because I'm still a very much noobie programmer. I'm trying to send information through a url, and having a script pick it up using the $_GET super global.
Here's the link code, in a file called TESTFORM.php:
<p>
Here's a link:
ID
</p>
This is the TESTGET.php script:
<?php
if (isset($_GET['id']))
echo 'it is set<br />';
else
echo 'it is not set<br />';
?>
This yields in a "It is not set" appearing on the page every time. Any thoughts? Are there ghosts in my computer ruining my code? Thanks for taking the time to read through this! Happy coding!
I'm no PHP programmer, but I do know from HTML that computers (especially file names) don't "like" spaces. Try removing the spaces in the id = 5 code.
Your problem is the extraneous space here around the URL parameters:
ID
That will result in PHP seeing the parameter as $_GET["id_"]. The space gets converted into an underscore.
It's always best to use var_dump($_GET); or var_dump($_REQUEST) when you run into such problems. Secondarily it is sometimes helpful to get rid of isset in such cases. Albeit you have a custom error message in place of the language notices intended just for that.
Have you tried to remove spaces in your link?
ID
Code seems fine at a glance, have you tried removing the spaces in
?id = 5 to ?id=5