403 Forbidden when saving data from a form

Asked

Viewed 529 times

4

I have a field in the form that allows html tags. If you insert the following line into the field and submit the form, it returns error 403 Forbidden:

<span style="display: none">&nbsp;</span>

But if you insert the line with simple quotes, the error no longer happens:

<span style='display: none"'>&nbsp;</span>

Does anyone know what’s going on? It is not a mistake when working with the field in php, because I made a die("teste") before any $_POST and even then the error is returned in the first option.

UPDATE:

I changed the form action to a PHP file that contains only the code below and still returns 403 Forbidden. Does anyone have any idea what it might be?

<?php echo "teste"; ?>

UPDATE:

According to the technician, the error happens because an anti-spam server lock is activated.

Regra 300076, antispam content.

There is way around this in php, or just by turning off the rule?

php apache

  • Just to clarify: your goal is that the user insert content with html tags, and this content will be displayed back as html even, right? (if it is, be careful with XSS)

  • @mgibsonbr this is a backoffice, so the need for html, the lock is that we do not allow the tag script.

3 answers

1

  • This will "escape" all the content of the tag (and prevent XSS), but is this what the OP wants? In other words, "allows html tags" does not mean that when the data is returned from the form they should come as html, not as common text (escaped)?

  • So the problem is that it doesn’t quite run $_POST, it returns Forbidden first. I inserted a die("test") before the $_POST, at least I should print the "test" string on screen, which did not happen.

0

I’m not a php enthusiast, but I’m pretty sure when PHP reads it it turns into a string:

"<span style="display: none">&nbsp;</span>"

That’s why the style should have its values in simple quotes to be converted:

"<span style='display: none'>&nbsp;</span>"

As our dear friend @rafaelcpalmeida quoted you can use the function htmlspecialchars.

  • In fact, if that string is in the source code PHP would interpret it that way. But from what I understand this is data from a field in the form, submitted by the user - will be in a variable, not in the PHP source.

  • And if in the case of an echo in that string it would not be converted and inserted into html?

  • Inserted into html, yes, but inserted into PHP no... Example

  • Yes, in html itself.

  • So the problem is that it doesn’t quite run $_POST, it returns Forbidden first. I inserted a die("test") before the $_POST, at least I should print the "test" string on screen, which did not happen.

0

Anyway, your second option with single quotes is incorrect:

<span style='display: none"'>&nbsp;</span>

Has a " passing by. The correct would be:

<span style='display: none'>&nbsp;</span>

Maybe the problem is at the time of saving this data in the database. If it is and you use Mysql, use the function mysql_real_escape_string($html_aqui).

I did a small test/example here, and everything worked correctly. I don’t think the problem is just that.

Remembering that I used the POST method

php form.

<!doctype html>
<html lang="en">
<head>
  <meta charset="UTF-8">
  <title>Form tag</title>
</head>
<body>

  <?php if ($_SERVER['REQUEST_METHOD'] == 'POST') { ?>
    <strong>$_POST:</strong>
    <pre><?php echo var_dump($_POST); ?></pre>
  <?php } ?>

  <form action="formtag.php" method='POST'>
    <input type="text" name='tag'>
    <button type="submit">Go!</button>
  </form>

</body>
</html>

answer (html)

$_POST:
array(1) {
  ["tag"]=>
  string(41) ""
}

response (source)

array(1) {
  ["tag"]=>
  string(41) "<span style="display: none">&nbsp;</span>"
}

Could post the full code of your form?

  • The double quote was just an error at the time of typing, the font is correct. I also think the problem is another because it doesn’t run php, it returns Forbidden before. I tried to find out and there is a software running on the server that prevents XSS attacks, maybe that’s it.

  • Have you tried to debug the code? To see if this does not occur in X step, or if it is already initially in the request?

  • Yes, I even changed the "action" of the form to a PHP file that contains only "echo 'test';", but 403 Forbidden still appears. Could be some kind of server lock?

Browser other questions tagged php apache

You are not signed in. Login or sign up in order to post.