I got a simple script which I'm using to POST one world and then to display it with lines from list_of_files.txt. Just noticed that I can POST JavaScript, PHP and Html. How I strip this?
$files=file('list_of_files.txt');
if ($_SERVER['REQUEST_METHOD'] == 'POST'){
foreach($files as $list)
{
$extension = $_POST['extension'];
echo trim($list) . trim($extension);
echo "</div>";
}
}else{
?>
strip_tags($str) (http://php.net/manual/de/function.strip-tags.php) will remove ALL HTML tags
Example:
name=<strong>Finn</strong>&last_name=<script>alert('XSS');</script>
PHP:
$normal = $_POST['name']; //<strong>Adam</strong>
$stripped = strip_tags($_POST['name']); //Adam
Are you looking for strip_tags?
This function tries to return a string with all NULL bytes, HTML and PHP tags stripped from a given str. It uses the same tag stripping state machine as the fgetss() function.
if you're looking to output, you can use htmlspecialchars.
The translations performed are:
'&' (ampersand) becomes '&'
'"' (double quote) becomes '"' when ENT_NOQUOTES is not set.
"'" (single quote) becomes ''' (or ') only when ENT_QUOTES is set.
'<' (less than) becomes '<'
'>' (greater than) becomes '>'
Related
I have a link that is sent throw some PHP code:
echo "<a href='" . $galerry . "#" . apastro(get_title($primid)) . "' class='linkorange'>voir sa galerie</a>";
$galerry links to another page.
get_title($primid) is the id of a specific element in $galerry page.
And the mechanism works fine until one of the elements id has a single quote in it. Which makes sense as it would interrupt the echo function.
This is why I have the apastro function:
function apastro($phrase){
$phrase1 = str_replace("'", "\'", $phrase);
return $phrase1;
}
Yet, the \ before the single quote isn't helping...
So let's say the link redirects to the element with id="l'aro" on the page something.php. Then the URL will be something.php#l\.
it would interrupt the echo function
It wouldn't. It would break a string literal delimited by ' characters, but your string literal is delimited with " characters. In this case, it is breaking the HTML attribute value which is delimited by ' characters.
\ is not an escape character for URLs or HTML.
Use urlencode to make a string safe to put into a URL.
Use htmlspecialchars to make a string safe to put into an HTML attribute.
$title = get_title($primid);
$urlsafe_title = urlencode($title);
$url = $galerry . "#" . $urlsafe_title;
$htmlsafe_url = htmlspecialchars($url, ENT_QUOTES | ENT_HTML5);
echo "<a href='$htmlsafe_url' class='linkorange'>voir sa galerie</a>";
If you're looking to escape single quotes only, use double backslashes, as follows
$str = str_replace("'", "\\'", $str);
I have comment box. If i type in something like this
aa #Martins <aabb>
In database I save it like:
aa <span class="highlight" contenteditable="false">#Martins Vilskersts</span> <aabb><span></span>
And for now i use this, to show it:
$str = strip_tags(htmlspecialchars_decode(html_entity_decode($my_string_from_database)), '<br><br/>');
//here is some replace for links functionality
$replace = '<a href="javascript:;" class="..." id="..." ></a>';
$str = str_replace($link->tag, $replace, $str);
echo $str;
And i get result like this:
aa #Martins
But i want to see it like this:
aa #Martins <aabb> -[with # functionality, but with some random <aaa><bbb> tags as plain text. Any idea?]
USE THIS:
just replace < by < and > by >
Keep this in mid as well :
'&' (ampersand) becomes &
'"' (double quote) becomes " when ENT_NOQUOTES is not set.
"'" (single quote) becomes ' only when ENT_QUOTES is set.
'<' (less than) becomes <
'>' (greater than) becomes >
If you just literally output the string as stored in the database, without using htmlspecialchars_decode, strip_tags, html_entity_encode, etc, then it'll come out properly.
You have already saved the parts you want to see as encoded characters, and the parts that should work as raw html in your database.
I'm writing a function to output HTML elements, the problem is: when I try to concatenate this two strings:
$tag = "<" . "tag";
The instruction echo $tag outputs nothing. What is wrong
As mentioned in comments, special characters like <, will be parsed by browser as HTML, therefore you won't see them as you expect.
Its almost the same thing:
$tag = 'p';
echo '<' . $tag '>' . Test . '</' . $tag . '>';
Which is the same as
echo '<p>' . Test . '</p>';
So after script execution you'll see just
Test
in a browser. but when viewing a source, it will be as
<p>Test</p>
If for some reason you want to see HTML tags, then you need to escape special chars using built-in function htmlentities().
In your case, you can just prepare a string, then just echo it like
echo htmlentities($string);
If by tag you mean an HTML entity then its not going to be seen in the browser. You may need to do a 'view source' to see what was created by echo call.
I am have troubles trying to print out < > symbols in HTML using PHP.
I am appending a string "<machine>" to a variable.
Example:
$output .= " <machine> ";
echo $output;
I tried using escapes, but that didn't help. Any advice?
> = >
< = <
Or you can use htmlspecialchars.
$output .= htmlspecialchars(" <machine> ");
If you are outputting HTML, you cannot just use < and > : you must use the corresponding HTML entities : < and >
If you have a string in PHP and want to automatically replace those characters by the corresponding HTML entities, you'll be interested by the htmlspecialchars() function (quoting) :
The translations performed are:
'&' (ampersand) becomes '&'
'"' (double quote) becomes '"' when ENT_NOQUOTES is not
set.
"'" (single quote) becomes ''' only when ENT_QUOTES is
set.
'<' (less than) becomes '<'
'>' (greater than) becomes '>'
In your case, a portion of code like this one :
$output = " ";
echo htmlspecialchars($output, ENT_COMPAT, 'UTF-8');
Would get you the following HTML code as output :
<machine>
And, just in case, if you want to encode more characters, you should take a look at the htmlentities() function.
Your trouble is not with PHP, but rather with the fact that < and > are used in HTML. If you want them to display in the browser, you probably want to print out their escaped entity versions:
< is <
> is >
You can also use the htmlspecialchars() function to automatically convert them:
echo htmlspecialchars("<machine>");
You need to turn them into e.g. < and > - see the htmlentities() or htmlspecialchars() functions.
echo htmlentities($output);
or
echo htmlspecialchars($output);
If you don't want to bother manually going through your string and replacing the entities.
use "htmlspecialchars_decode()"
e.g.
<?php
$a= htmlspecialchars('<?php ');
$a=$a.htmlspecialchars('echo shell_exec("ipconfig"); ');
$a=$a.htmlspecialchars('?>');
echo htmlspecialchars_decode($a);
?>
The < and > symbols should be shown in the HTML source but the "<machine>" is interpreted as XML tag. Use htmlentities() to convert all special characters in the String into their HTML-equivalents, or use "<machine>"
Solution:
$output .= " <machine> ";
$output = htmlentites($output);
echo $output;
I am using PHP, i want to display a string which comes as title of a post, in a textbox as value. if this title has inverted commas then the string value tag of input field terminates on that quote. now as there is an add slash function to add back slashes, is there a similar function to add forward slashes ? but just before quotes, and not any other character
Use the htmlspecialchars function to encode the string within the value="..." attribute.
Example:
$sometext = 'Hello "world"!';
echo '<input type="text" value="' . htmlspecialchars($sometext) . '" />';
// outputs <input type="text" value="Hello "world"!" />
As I understand, you are trying to put some text into an HTML <input type="text /> ?
If yes, you'll need to use the htmlspecialchars function ; for instance :
echo '<input type="text" name="my_element" value="'
. htmlspecialchars($value, ENT_COMPAT, 'UTF'8)
. '" />';
Note that you have to specify a charset, if you are not working in ISO-8859-1.
With this function (quoting) :
'&' (ampersand) becomes '&'
'"' (double quote) becomes '"' when ENT_NOQUOTES is not set.
''' (single quote) becomes ''' only when ENT_QUOTES is set.
'<' (less than) becomes '<'
'>' (greater than) becomes '>'
You can use preg_replace, but what do you want to achieve with forward slashes?
preg_replace('/\"/', '/\"', $string);