I'm trying to escape the input fields in a standard HTML form while using the Liquid templating engine in Octopress.
<input type="hidden" name="post_title" value="{{page.title}}" />
What is the Ruby/Liquid equivalent to PHP's htmlspecialchars? Is there already a filter that does this, or do I need to use a custom replace?
It seems that the standard escape filter will do the trick.
<input type="hidden" name="post_title" value="{{ page.title | escape }}" />
Although the documentation on the filter is annoyingly non-helpful, checking the code, it uses CGI.escapeHTML which has a much better documentation page and seems to escape the same characters as the PHP equivalent.
Note that it only escapes double quotes, so single quote escaping will need to be done manually if needed.
CGI::escapeHTML("<foo>&&&</foo>")
#=> "<foo>&&&</foo>"
Related
I am generating radio buttons based on an XML config values. Sometimes they have apostrophes in the text. When manipulating this data in PHP, I seem to lose everything after the apostrophe. For example:
<input type='radio' name='remove[]' value='Government wants to limit employers' communications about unionization'>
But when dumping it out after the form POSTs, I get this value:
array(1) {
[0]=>
string(35) "Government wants to limit employers"
}
Any suggestions on how to preserve the full string? Thanks!
use htmlspecialchars():
<input type="radio" ... value="<?php echo htmlspecialchars($array[0], ENT_QUOTES) ?>" ... />
It's explicitly intended to allow safe insertion of arbitrary text into html without 'breaking' the html. Note the 'ent_quotes' option. By default htmlspecialchars will only handle <>", but since you're using ', you need the option to tell htmlspecialchars to handle those too.
You can escape the quotes in the string: value='Government wants to limit employers' communications about unionization' Escaping it will cause this problem to stop.
PHP does give functions for this, in case your information is in a variable. Just use htmlspecialchars
Simplest way would be just to use double quotes like so:
<input type='radio' name='remove[]' value="Government wants to limit employers' communications about unionization">
It's pretty much the reason for them.
I usually stick with those 2 easy options, both equally efficient:
You can encapsulate one type of quotes in the other type
$var = " here single quotes ' are encapsulated in double quotes";
$var = 'here double quotes " are encapsulated in single quotes';
you can escape quotes by using \
$var = "just quote some mathematician: \"quot erat demonstrandum\".";
You can use double quotes to surround the text:
<input type='radio' name='remove[]' value="Government wants to limit employers' communications about unionization">
An even better way would be to replace the apostrophes with '.
<input type='radio' name='remove[]' value='Government wants to limit employers" communications about unionization'>
This is a more robust solution in case the text includes double quotes as well. You should replace all 's with 's and "s with "s.
This can be easily done using htmlspecialchars(string $str). http://php.net/manual/en/function.htmlspecialchars.php
Ok so i've learned a bit of PHP and tried making a simple application but i am not sure is my webpage secure from xss and other such attacks .
My PHP CODE
<?php
$title=$keywords=$description="";
$valid_er="";
if($_SERVER["REQUEST_METHOD"] == "POST"){
if(empty($_POST['title'])){
$valid_er="has-error";
}
else{
$title="<title>".test($_POST["title"])."<title>";
}
$keywords='<meta name="keywords" content="'.test($_POST["keywords"]).'" />';
$description='<meta name="description" content="'.test($_POST['description']).'" />';
}
function test($ci){
$ci=htmlentities($ci);
$ci=stripcslashes($ci);
return $ci;
}
?>
And MY HTML FORM
<form method='post' class='form-group' action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">
<label> Your Title </label> <input placeholder="Your websites title" type="text" name="title" class='form-control' class='form-group-item'/></br>
<label> Keywords </label> <input placeholder="Your keywords separated by comma " type="text" name="keywords" class='form-control' class='form-group-item'/></br>
<label>Description </label> <textarea placeholder="A nice description about your website;" name="description" class='form-control'></textarea></br>
<input type="submit" class='btn btn-info'>
</form>
I just wanted to know am i vulnerable to cross site scripting , because i don't think only using
htmlspecialchars()
will protect me .
I just wanted to know am i vulnerable to cross site scripting
No, you are not, and just using htmlspecialchars will protect you against XSS in most cases (if you use double quotes around attributes and follow the rules in my last paragraph).
You don't need to use stripcslashes, and you don't need to encode your own <, etc.
Do note however that htmlspecialchars does not encode a single quote (') by default. I mention this because for your form tag, you mainly use single quotes, and just double quotes for the action,which is a really good idea, as otherwise your code would be vulnerable to XSS. To avoid this problem, you can use htmlspecialchars($string, ENT_QUOTES, 'UTF-8');, with which single quotes would also be encoded. You still can't just omit using any quotes (if you do that, preventing XSS becomes a lot more complicated, as you would need to escape all characters with which you can break out of that context, which include space, +, etc), but with this, you can use double or single quotes and be safe.
For more information, check out this site about XSS prevention (it tells you where this kind of encoding is not enough; you should never put user input inside <script>, <style>, HTML comments, attribute names, or tag names).
Every time a POST is made I get escaped characters.
\ -> \\
' -> \'
" -> \"
I have a multistep form, which transmits the data from one form to another. I save the values with prepared statments in the database. The values in the database currently look like Paul\'s House. User should have the possiblity to use single and double quotes in their string.
This is a simple example demonstrating the escaping effect:
<?php
echo $_POST['value'];
?>
<form action="form.php" method="post" enctype="multipart/form-data">
<input type="hidden" name="value" value="Paul's House">
<input type="submit" value="Next">
</form>
Why or who escapes the string? What is the correct way for handling data over multiple forms? What is the correct way for saving it in the database? Should I use stripslashes() or I'm opening a big security hole?
Looks like you have Magic Quotes turned on.
http://www.php.net/manual/en/security.magicquotes.disabling.php
Check that out for how to disable.
You must turn off the magicquotes in server , otherwise you should very careful about on/off status of the magicquotes .
I'm using this regex code to get the tags but not the value:
(<input type="hidden" name="pt" id="pt" value=")|(" \/>)
From this code:
<input type="hidden" name="pt" id="pt" value="f64b1aadf7baa6e416dbfb6bf95fa031" />
But how would I do it the other way around? Get the value, but not the surrounding tags? So I would only get "f64b1aadf7baa6e416dbfb6bf95fa031" (without the quotes). Thanks.
As Donut says, you seriously shouldn't use regexes on HTML. However, since this is a pretty straightforward case I'll be an enabler. But seriously, if it gets one iota more complicated, switch to a DOM parser.
value="(.+?)"
I'm assuming you are using PHP, so to get the captured group out, do this:
preg_match('value="(.+?)"', $input, $groups);
echo "Value = " . $groups[1];
The ? makes it a lazy operator, so it grabs up to the first quotation mark. If there is the possibility of escaped quotation marks inside the quotation marks you need to add this:
value="(.+?[^\\])"
While it is generally not advisable to attempt to parse HTML with regular expressions, you could try this: value="([^"]*)".
I am generating radio buttons based on an XML config values. Sometimes they have apostrophes in the text. When manipulating this data in PHP, I seem to lose everything after the apostrophe. For example:
<input type='radio' name='remove[]' value='Government wants to limit employers' communications about unionization'>
But when dumping it out after the form POSTs, I get this value:
array(1) {
[0]=>
string(35) "Government wants to limit employers"
}
Any suggestions on how to preserve the full string? Thanks!
use htmlspecialchars():
<input type="radio" ... value="<?php echo htmlspecialchars($array[0], ENT_QUOTES) ?>" ... />
It's explicitly intended to allow safe insertion of arbitrary text into html without 'breaking' the html. Note the 'ent_quotes' option. By default htmlspecialchars will only handle <>", but since you're using ', you need the option to tell htmlspecialchars to handle those too.
You can escape the quotes in the string: value='Government wants to limit employers' communications about unionization' Escaping it will cause this problem to stop.
PHP does give functions for this, in case your information is in a variable. Just use htmlspecialchars
Simplest way would be just to use double quotes like so:
<input type='radio' name='remove[]' value="Government wants to limit employers' communications about unionization">
It's pretty much the reason for them.
I usually stick with those 2 easy options, both equally efficient:
You can encapsulate one type of quotes in the other type
$var = " here single quotes ' are encapsulated in double quotes";
$var = 'here double quotes " are encapsulated in single quotes';
you can escape quotes by using \
$var = "just quote some mathematician: \"quot erat demonstrandum\".";
You can use double quotes to surround the text:
<input type='radio' name='remove[]' value="Government wants to limit employers' communications about unionization">
An even better way would be to replace the apostrophes with '.
<input type='radio' name='remove[]' value='Government wants to limit employers" communications about unionization'>
This is a more robust solution in case the text includes double quotes as well. You should replace all 's with 's and "s with "s.
This can be easily done using htmlspecialchars(string $str). http://php.net/manual/en/function.htmlspecialchars.php