9
Good evening, I have a form serving data entry that is displayed on the screen. The problem is that this data can be html tags or scripts, if someone puts this code in my form, the page will be redirected.
<meta http-equiv="refresh" content="6; url=/">
How could I clear html tags or any other kind of malicious injection ?
11
strip_tags() allows other types of insertion of XSS then use htmlspecialchars()
echo htmlspecialchars($Variavel, ENT_QUOTES, 'UTF-8');
Let’s start by parts, what you want and protect yourself from the XSS, its data input is enabling the injection of commands or markup, we will analyze this well to be able to create a 100% functional solution, in security we must be calculating.
Let’s put two scenarios for this situation
<input type="text" value="$Suspeito">
and another common good is when we put the content in a div
<div class="container" id="ct">
<?php echo $Suspeito ?>
</div>
Now, let’s replace this variable with a classic xss
Doesn’t work !
<input type="text" value="<script> alert("Xss here");</script> ">
Works !
<div class="container" id="ct">
<script> alert("Xss here");</script>
</div>
We can add extra protection using strip_tags() to escape tags !
Let’s see how it would look if our variable had a protection with strip_tags()
Doesn’t work !
<input type="text" value="alert("Xss here"); ">
Doesn’t work !
<div class="container" id="ct">
alert("Xss here");
</div>
Just like in Brazil, there is a way for everything and this solution is far from solving any problem, just use your imagination.
imagine this situation, apparently there are no problems right ?
Wrong, let’s force our imagination, I need to fuck with this code without using tags
<?php $Suspeito = '" onfocus=document.write("");" fecha="';
<input type="text" value="" onfocus=document.write("");" fecha="">
Oops, now it’s a problem Is it just that ?
';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";
alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
'';!--"<XSS>=&{()}
<IMG SRC="javascript:alert('XSS');">
<IMG SRC=javascript:a&
#0000108ert('XSS')>
So then we need another solution that doesn’t fail that way, remembering that we have another problem, if you escape the tags, no one will be able to use... remember math, comparisons, or even code, you will simply lose data...
By limiting encoding to UTF-8 and using htmlspecialchars, it becomes possible to use tags and scripts in html without having any effect on the page, the characters are disubstituted by <> entities will turn <> fully transparent to the user.
echo htmlspecialchars($Suspeito, ENT_QUOTES, 'UTF-8');
Look at this link showing a comparison between htmlspecialchars vs strip_tags Online script
This is maybe not a perfect solution, maybe there is a way to cheat, try to do it whenever you come across some security issue, ? "
4
You want to know how to take these tags out, if the user inserts this into the text field to add to the mysql database, avoiding unnecessary redirects in ECHO, I’m sure?
If yes
Can use strip_tags() function that removes html tags from strings.
This was what Thanks <?php echo strip_tags( $exibe_tasks [ "task" ] ); ?>
If you want to remove only this tag, you can use regular expressions with the function preg_match();
Yes now I discovered even the fgetss
Xss... living and learning
Yes exact, there are N ways... rsrsrs, anything we are available.
@Italoizaac Good editing on the question, although you have done the job and have not let the author learn by himself. But now is a good question.
@Guilhermenascimento is fine, but I don’t see such a problem in giving a hint more on something, because sometimes users run after quick answers. Thus, the study should start from her, because content on the Internet does not lack, but coming here she would have a certain urgency, and remains even as reference for her.
The question was very confusing at first and I was really guiding him to edit so that he could get faster answers and other users would be interested in answering it. Fortunately you had the good will and answer, but the author will not always have someone at his disposal and when this occurs he will get frustrated. I hope you understand.
Perfectly. :D
@Italoizaac This solution does not cover data that is placed in attributes, besides taking away the freedom to use tags, any reference to mathematics or even programming will be removed, Example of String where the fault persists " onfocus=Document.write("");""will continue to work -> <input value="<? php echo $Variavel ?> ">
4
There are ways and means to solve problems, I personally prefer to turn to PHP the right way when it comes to PHP, because in the language itself there are numerous solutions to everyday problems, where they are usually juggled to reach the same solution.
Whenever you obtain information from a source not known, such as sending information from a form, the input and output information should always be processed, sent or received from a database or on the HTML page itself.
In the PHP language there are filters, which are used to validate (as in the case of e-mail validation through the FILTER_VALIDATE_EMAIL filter) and sanitize the values (as in the case of FILTER_SANITIZE_STRING, which clears strings and FILTER_SANITIZE_EMAIL which clears characters that are not used in the construction of an e-mail). These filters work together with the function filter_var, filter_input and others.
Taking into account the PHP documentation and the PHP reference the right way I would use the example below:
<?php
//inseguro
$input = 'alert("ola")';
echo $input;
//seguro
$input_filter = filter_var($input, FILTER_SANITIZE_STRING);
echo "<br>". $input_filter;
Example in the ideone: http://ideone.com/Y2w9tr
Browser other questions tagged php html xss
You are not signed in. Login or sign up in order to post.
But I am using and not returning anything <?php echo htmlspecialchars($exibe_tasks , ENT_QUOTES, 'UTF-8'); ?>
– Josimara
I updated the example using an array, see http://ideone.com/Er5UZZ
– Isvaldo Fernandes