Preventing XSS/ HTML in Forms

mrhinman

I want to use PHP (and/or javascript) to disallow a user to enter any HTML code or other script in a form field. I have a contact form that I get several emails a day with bogus email addresses (e.g., alkdhflkah@alskdfh.com) and a list of URLs in HTML tags in the <textarea> field. THe form is submitted using PHP mail().

I want to eliminate these and not allow them to either pass or be sent. No HTML. Should be easy enough, right? But I still haven't figured it out. The simpler the better.

laserlight

If you are sure that any HTML tag is junk data, then process the incoming data with [man]strip_tags/man. If not, or if you are worried that real data that looks like a bogus HTML tag may be stripped out, then use either [man]htmlentities/man or [man]htmlspecialchars/man.

mrhinman

What I ended up doing was adding an IF statement with eregi("<",$field) || eregi(">",$field) in it and the forms dies to "Invalid Input". In other words, no code is allowed. This is a simple contact form and those two characters should not be needed.
Stops the form dead in its tracks.

laserlight

If you want to do it that way, then use strpos() instead of eregi(), which is deprecated (and you dont need insensitive comparison anyway).

mrhinman

Does it work the same? I haven't used strpos() yet.

laserlight

Yes, eregi() should only be used when you want to use regular expressions. Now, preg_match() is now used in favour of ereg() and ereg(). In this case, strpos() can directly replace eregi(), but you could also write:
preg_match('/[<>]/', $field)

That said, making a script die due to invalid input is a very rude way of handling user input errors. You should either inform the user that there was invalid input and request that it be refilled and resubmitted, or silently handle the invalid input (e.g., strip_tags() or htmlentities() ).

mrhinman

Well, I understand what you are saying. But the Form dies to saying "Invalid input. Please go back and try again. No spammers, please." The form simply asks for Name, email and question. It is for a ham radio web site. So, there should be no need ever for a person to include the < or > characters in an otherwise normal communication. I'm considering rewriting the script to go back to the page and simply echo a message saying "Invalid input..." whatever.

Crowly

I would also look at different captcha solutions to keep bots away (or atleast make it harder).
Just search this forum or google for captcha. Hotscripts.com also have some free scripts that you can download and adapt.