This question already has answers here:
Closed 11 years ago.
Possible Duplicate:
How to encrypt HTML, CSS and JavaScript to prevent theft
Is there any technique in PHP language, or some software available to encrypt the html code that is seen while clicking on view source and view generated source on browsers.Can the code be encrypted to binary strings ie( 0 and 1) format.
No. The browser needs valid HTML to display the document. There is no way to encrypt HTML.
The whole world is serving pages that are not encrypted, so it stands to reason it's not necessary, either.
People will always be able to get to your html - even if you did find some way to obfuscate / hide it, maybe using javascript, anyone can always use wget or similar to view it.
No. You can obscure it a bit, but in the end your browser needs to read it, and it reads HTML.
In a word: no. You can make the HTML ugly by removing whitespace, but the browser needs to be able to read it! You can obfuscate your Javascript pretty darn well by removing whitespace and newlines and using short or crazy variable names: for example see here.
Related
This question already has answers here:
Preserve and display text exactly how it is typed and submitted
(2 answers)
Closed 8 years ago.
** Update - following the link that deceze kindly posted to a similar question lead me to a great article by deceze here The Great Escapism which gave me all the answers I needed. To anyone finding this question due to similar issues I urge you to read this article **
I'm allowing users to enter information through a textarea on my site.
I'm aware that there is a security risk whenever a user can enter information into a site.
I want to be able to preserve whitespace / newlines from their entry but I'm also mindful of stripping HTML tags etc out of their input.
I have written a function that replaces \r\n with <br/> before the data retrieved from the database gets outputted to the browser (I also stripslashes before I output to the browser).
I have a function that will strip out HTML tags from the entered text that I can run before putting the user entry into the database.
I'm unsure if this is all that I need to do? Does anyone have either a list of checks I need to do before putting user-entered info into the database and then before displaying it in a browser? Or even a set of sanitising functions that they use for this?
I've looked at esc_html() and sanitize_text_field() and filter_var($output, FILTER_SANITIZE_STRING, FILTER_FLAG_NO_ENCODE_QUOTES) but I'm really unsure when I should be using what function?
Help much appreciated :-)
You can use mysql_real_escape_string() to prevent sql-injection. You can find a good basic tutorial here
This question already has answers here:
How can I sanitize user input with PHP?
(16 answers)
Closed 8 years ago.
For global safely, is it safe to to use htmlspecialchars or striptags when user POST or GET in php ?
for example, htmlspecialchars any post and get that sent by request and save that to the database
For displaying purposes you could just use htmlspecialchars() or htmlentities() to ward of the common XSS attacks.
It is not suggested to strip_tags() the data (unless it is really neccessary) , because that may lose all formatting if the user had provided any.
I would do sanity-checks depending on what you're expecting to get.
A good reading (like always) is the OWASP cheat-sheet: https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet#XSS_Cheat_Sheet
If you're expecting plain text, always use htmlspecialchars() when showing it by the web-client. Some template-engines, like Twig, already do that by default. For this case, I wouldn't do any checks when saving to the database, because you may need to encode it differently for another client later - and you expect it to be plain-text, right?
If the user has an RTE and can make use of HTML, I'd use strip_tags() or a method like used in other frameworks. An example is http://svn.openfoundry.org/wowsecmodules/trunk/filter/RemoveXSS.php. TYPO3 also has a pretty good one that you can view by downloading the package and looking into typo3/contrib/RemoveXSS/RemoveXSS.php
A workaround would be to use stuff like BB-Code or Markdown, handled as plain-text, that is later compiled to HTML in your code, but this mostly confuses the editor, if he isn't used to stuff like that.
What I do not recommend at all, but it's possible is to let the browser do the job - see XSS Basic Understanding
EDIT:
The two libs, I linked here for removing XSS from HTML-data, are both based on the same one, but have been forked into different projects and the communities applied fixes and so on. The goal of this method is like yours, even so I do not support it, because it sounds like a one-size-fits-all solution:
Usage: Run *every* variable passed in through it.
* The goal of this function is to be a generic function that can be used to
* parse almost any input and render it XSS safe. ...
Why I am against running this method on every input-variable? You do not think about what you really want to get. Maybe you just want plain-text ... In this case, as I wrote earlier here, you don't need to do that, but just use htmlspecialchars() when showing it in an HTML context.
This question already has answers here:
How to prevent XSS with HTML/PHP?
(9 answers)
Sanitizing HTML input
(5 answers)
Closed 9 years ago.
I want to provide an HTML editor on my site, but don't want to open myself up to xss or other attacks that come with allowing user-generated HTML.
This is pretty similar to what Stack Overflow does. How is the HTML checked/sanitized here so that the styling information still remains, while other, more dangerous stuff (like javascript, iframes, etc.) are kept out?
Are there any libraries (preferably in PHP) that already do this?
PHP has a function strip_tags that strips HTML and PHP tags from a string, and allows you to specify certain allowable tags. But as #webarto states, there are libraries that do this better.
From the PHP Manual.
Your can use
strip_tags($yourData,"<a><p><div><i>") // more tags you want to keep;
If your using SQL too use
mysql_real_escape_string($data);
This is really all you need to not get injected. Do keep in mind, when using mySQL real escape you need to use strip slashes to remove them when you echo them out.
Here are the docs for strip tags and the docs for mysql escape.
If you wish to allow some (X)HTML and restrict only tags viewed as unsafe, you can use something like KSES. Wordpress uses a solution like this.
http://sourceforge.net/projects/kses/
In addendum to Whymarrh's post, suggestion is to have the code work take place in a subfolder of your site, and auto-alter any code that has "..", or "http://" or any mysql commands.
Hoping this isn't a duplicate, I couldn't find an original question on the topic. If you have an area for users to input data, how do you store and retrieve the data without them inserting javascript or html?
As an example, say a user is making a forum post. They decide to write an html list or javascript function that runs when the post is viewed. How do you mitigate this when you receive their input on the server-side? Specifically a server'side of PHP.
Remove parts of their string data based on patterns?
Use an html tag around their entry like ?
Thanks
All you have to do, going for the bare minimum, is replace < with <.
I use HTML Purifier to strip out the bits I don't want and leave in the bits I do. The default rules are pretty good, but it offers enormous flexibility if you need it.
You have to remove or translate the offending parts of their post. You can do it once as the post is coming in, and save the translated post in the database, or you can do it every time you display the post, and store the raw post in the database. Both approaches have their good and bad points.
As to how to strip the bad stuff, using simple matching to replace all < and > with < and > goes a long way -- but there's plenty more to do besides that.
There are lots of tutorials out there on preventing code injections. Microsoft's is pretty comprehensive found here.
For html injects depending on how thorough you want to be you can usually just put in a string parser to check for <> and remove them without given exceptions.
Guys/Gals I have made a website but now I want to encode the script so that no one can copy.
I'm using PHP, JavaScript and HTML in each page of my website. So how do I encrypt each and every page?
Thank You.
PHP
No need to encrypt - noone will ever see it (unless your site has security problems).
JavaScript
You can pack it. Can be reversed.
HTML
You can remove all whitespace. This is problematic with pre and white-space: pre.
It is also very ease to export the formatted DOM structure that is the end result of your serialised mess.
The Most Important Part
Obfuscate to make pages load faster - not to stop people from stealing your code/markup. If your code is really worth stealing (which I doubt it, no offense), then people will get it.
Neither html nor javascript can be encrypted, else the browsers would not be able to interprete it and your visitors would not be able to view your site. Dot. End. Compression tools may boost performance a little but will not really help against copyright infringement.
Your php-programs generate html, your visitors will always be able to see your html, but if your server is configured properly no one should ever see your php.
Just get comfortable with the idea that putting something on the web is to open it to the world.
Cost in attempting to stop duplication of the stuff you've already decided to make publicly available: $your hourly rate x hours == ??
Cost to stop worrying about something that doesn't actually cost you anything: zero. winner.
(And to head off another question you're inevitably going to ask at some point in future - Don't attempt to disable right-clicks. It just annoys everyone and doesn't achieve anything.)
Try using Javascript Obfuscator for your javascripts.
It will not hide you script but it protects JavaScript code from stealing and shrinks size.
if you do a google on "html encryption" you'll get a lot of hits.
http://www.developingwebs.net/tools/htmlencrypter.php
The question I have is why you would want to do this? You're going to have a performance hit for what gain?
You can also do the same for javascript but unless your html or javascript has organisational sensitive data then... And if they do then perhaps that's not the best place for it.
Actually one way to do it is to use XML + XSLT, it's extremely difficult for a lay-person to figure out what is going on, even more difficult for them to get your sauce code.
search google for ioncube
http://www.ioncube.com/html_encoder.php
This converts the html into gibberish. Stealing your html becomes difficult.
Nobody's html code is worth stealing anyways. This is only for self satisfaction.
The most I have ever been able to do to protect my code is to disable the right click with this line of code:
<body oncontextmenu="return false">
but it doesn't mean they can't right click on another page open inspect element and go back to your page and look at the code it can only stop them from viewing the source code for the most part.
Little late, by 10 years, but I've found a website that encrypts HTML. However, it doesn't work with PHP, it does work with JS. Evrsoft is what I've used for my website. It's the only HTML encryption I've found so far. If you've got PHP in your code, only encrypt the HTML in the page and leave the PHP raw. Nobody can see PHP anyway. It's a free service.