I'm currently working on a website, where users can write articles with few format possibilities (like bold, italic, list...). I'm using a framework: CodeIgniter.
I'm a beginner, and I've heard some stuff about XSS. I would like to know what do you think about my implementation. I read this topic:
What's the best method for sanitizing user input with PHP?
1) The user write his article, format it with BBCode. I'm using SCEditor.
2) When saving it into database, I'm using htmlspecialchars() to filter any suspect HTML tag. Am I supposed to do this when I'm saving data, or displaying data?
3) When I want to display the article on the website (for other uses for example), I convert BBCode tags into HTML tags.
Is it a right way to do it? Am I avoiding XSS?
I am obviously open to suggestions and advices.
Thanks for your answers
Codeigniter for validation has a property xss which will do all those staff
$this->form_validation->set_rules('username', 'Username', 'trim|required|min_length[5]|max_length[12]|xss_clean');
check out form validation Codeigniter:
http://ellislab.com/codeigniter/user-guide/libraries/form_validation.html
I "find and replace" using PHP, I don't think it's the most efficient way of doing it though.
<?php
$malicious = "<script>alert(1)</script>";
$malicious = str_ireplace("<", "", $malicious);
$malicious = str_ireplace(">", "", $malicious);
echo $malicious;
?>
<?php
$malicious = "<script>alert(1)</script>";
$malicious = strip_tags($malicious);
$malicious = htmlentities($malicious, ENT_QUOTES);
echo $malicious;
?>
Related
I have an old Mediawiki site (1.6.x) and I need to upgrade it to 1.31. This site has many pages and many of them have text with html links in the HTML format such as:
Text
I am able to upgrade its database to 1.31. However, in display, the above html links are converted to
<a href="/index.php?title=My_PAGE">TEXT</a>
How can I prevent Mediawiki (1.31.x) from performing the above conversion?
I am uncertain presently how to prevent MediaWiki from changing your code, but a possible solution would be to use this
https://www.mediawiki.org/wiki/Extension:Replace_Text
after the upgrade to replace < with < and > with >
Unable to find a method, I simply added the following two lines in public function execute() of ExampleTemplate.php
$html = str_replace('<', '<', $html);
$html = str_replace('>', '>', $html);
Please let me know if you know a better way.
I want to generate a random number or string in HTML so that i add this to HTTP URL inside the HTML page to make it different each time page loads.
That's impossible. HTML is a markup language, and cannot be used for defining logic.
You should use server side scripting language for that.
HTML does not provide random number generation without using javascript OR jQuery.
if you want to avoid cache problem insuring user has a different url each time he loads the page, you can do something like :
<body onLoad="location.hash = Math.floor((Math.random() * 100) + 1);">
I don't think that works, because HTML is a static language.
Something that uses php help? example :
<?php
$url ='https://linkexample/ws/'+ rand(1,100); + '.com';
echo $url;
?>
I have different HTML files. I want to open, edit and then save changes with PHP (NOT OOP) in admin panel by using HTML textarea tag. What do I have to do for that? Do I need to create new mysql database? Could you please show me an example?
You can read the contents of the HTML file using file_get_contents:
$html = 'example.html';
$currentContents = file_get_contents($html);
// set the textarea text to $currentContents
To write the changes, you will have to post the textarea to a PHP script (through an HTML form) and then do something like:
$newContents = $_POST['textareaName'];
$html = 'example.html';
$fh = fopen($html, 'w') or die("File could not be opened.");
fwrite($fh, $newContents);
fclose($fh);
There are some security things you need to worry about it, but this is a basic example of how to achieve your goal. Good luck!
http://us.php.net/file_get_contents
http://us.php.net/fwrite
I am using Text::MultiMarkdown to create HTML files from MultiMarkdown documents.
I would like all links to open in a new tab.
Is there a way to configure this behavior using a CSS template, or directly in the MultiMarkdown document (without explicitly writing HTML around each link in the MultiMarkdown document)?
Definitely not in CSS - that is only concerned with the way the elements appear, not how they behave.
It should be possible to add <base target="_blank"> to the head of the HTML document (using XSLT), but that's on par with adding it to each link.
In HTML and/or JavaScript you can only initialize the opening of a new window. The user is in some UAs able to force the opening of a new window as a new tab instead. But you can not control this behaviour.
In theory, you could do this with CSS3: http://www.w3.org/TR/css3-hyperlinks/ - however no common browser ever implemented this. The reason might be that it is a common believe that the choice of when a new window or tab is opened should be left to the user alone.
You can't do this in CSS but you can use the source.
You could subclass Text::MultiMarkdown and provide your own implementation of _GenerateAnchor, something similar to this might work:
sub _GenerateAnchor {
my ($self, $whole_match, $link_text, $link_id, $url, $title, $attributes) = #_;
if($url
&& index($url, '#') != 0) {
$attributes = $attributes ? $attributes . ' target="_blank"' : 'target="_blank"';
}
return $self->SUPER::_GenerateAnchor($whole_match, $link_text, $link_id, $url, $title, $attributes);
}
This is a bit kludgey as _GenerateAnchor isn't part of the public interface. You'd also need to use the OO interface rather than just the markdown function.
You could also contact the Text::MultiMarkdown author and see if he'll add a flag for this sort of thing. Maybe you could provide a patch to get things started.
You can also use HTML::Parser and friends to parse the HTML that comes out of Text::MultiMarkdown and add the target attributes yourself.
How to display xml response already formatted in html (IE won't show anything after the xml table)
If you visit this page in IE you'll see that nothing displays after the chart:
http://www.ratecatcher.com/prototype.htm
Here is the main php code:
$xml = file_get_contents($request);
echo html_entity_decode($xml);
Then the html that is giving me problems:
the user in IE won't see anything after this.
Is there a better way to display the html than html_entity_decode? I've heard about simplexml but I don't know if it works with html.
Thanks for helping!
You can try to use DOMDocument.
$dom = new DOMDocument('1.0', 'utf-8');
$dom->loadXML(file_get_contents($request));
echo $dom->saveXML(); // or saveHTML()