I have created a simple CMS for an auction company, but I found out today that I can include HTML tags in my fields when I update the content. Just out of sheer curiosity is this dangerous? Could someone who wanted to put a malicious script and it run too? On the flip side its pretty cool, because you can take this idea and run with it by creating CMS to create on the fly webpages with content that you want in it, and the end user can modify the content right?
-Matt
Yes a evil Script kiddiot can run his scripts in it an possibly destroy your web page 😉
That's an open door to cross-site scripting attacks. You might want to at least strip <script> -tags.
Thanks, so now that I know that this is a major security issue, how do I fix it? If you can just give me a general idea as to how about fixing this that would be great.
use this HTMLSpecialChars()
i.e.
$name = HTMLSpecialChars($name);
so instead of activating the script they put in i.e. <?php blah baljh ?>
it would echo out everything including the tags instead of exicuting the code
<?php blah baljh ?>
Thanks so much.
No Problem 😉
