solve security problem showing user input

delpino

Hi there,

I'm programming a simple forum in php and wonder how to make 100% sure that the shown user input can't contain any malicious code. Bascially I want to disable any code execution like javascript. So far I've tried to convert > and < into their html entities to stop javascript execution but is that enough? Thanks for any help.

frikikip

Hi,

There are several ways to do this; check:

strip_tags ( http://www.php.net/manual/en/function.strip-tags.php )
htmlspecialchars ( http://www.php.net/htmlspecialchars )
htmlentities ( http://www.php.net/htmlentities )

Cheers,

Marv

delpino

Thanks for the quick reply, however I was looking for more specific advice on this. Anybody?

MarkR

Simply don't allow them to put HTML in their posts; this is trivial as you can use htmlspecialchars to escape all characters which can be used to make HTML tags or entities etc.

The problems really start when you want to allow SOME html but not others.

Mark

delpino

I've put this into my script:

$text=str_replace('<','<',$text);
$text=str_replace('>','>',$text);

I guess that should be enough, at least to stop HTML/Javascript code. Just wanted to make sure thats enough security.

PS: htmlentities caused problems if someone uses chinese characters.

MarkR

You also need to escape &.

htmlspecialchars should not cause a problem with Chinese characters (certainly not in UTF-8). It does not affect anything except ampersand, less than and greater than.

Mark

delpino

you mean translate & to & amp ; ? why would this be a security problem?

MarkR

Because it will cause the HTML produced to be non-well formed and could result in the failure of the page to render properly.

Mark