TechQA.

PHP site preventing XSS a bit too wel

72 views Asked by At

I have a blog system where random people can post comments. If naughty people try to post Javascript, this will happen:

bla bla <script>alert("Hacked")</script>

Turns into

bla bla &lt;script&gt;alert(&quot;Hacked&quot;)&lt;/script&gt;

I would prefer the post to keep the code intact, just in case someone ever needs to post HTML. How do I make the second line look like the first, without it actually doing anything? The current way I filter it is:

$safeMessage = htmlspecialchars($reply['message'], ENT_QUOTES | ENT_HTML401, 'UTF-8');

echo "$safeMessage";
php xss htmlspecialchars
Original Q&A
1

There are 1 answers

0
Stefano Mtangoo On

The Best way I can think of is using HTML Purifier and specify only a subset of HTML you want to allow. Check documentation here

Related Questions in PHP

Related Questions in XSS

Related Questions in HTMLSPECIALCHARS

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions