I need to send a form to PHP, but one of the fields contains HTML.
When it's in the form it's fine, and will show:
<input id="addNote" value="<div class="line">This is my line</div>"/>
However, when I POST it to the server, the HTML tags have been stripped out, so it comes through as 'This is my line'. What do I need to do to make sure the tags don't get stripped out?
Thanks!
When embedding html-in-html, you should encode the HTML metacharacters so they can't be mis-interpreted:
<input id="addNote" value="<div class="line">This is my line</div>" />
This is especially true with " characters, as they'll break the form for the parser. e.g.
<input ... value="<div class="line" .... />
^---
The indicated quote will be translated as ENDING the value= portion, and line" being the start of some other non-standard/unknown tag attribute.
<input id="addNote" value="<div class="line">This is my line</div>"/> does not work at all!
Since you're using " to limit the value of the input field, you have two choices:
Change the " character to ':
This is my line'/>
Substitute the quotes (") inside the value for ":
This is my line"/>
However, none of this matters if your PHP script deletes HTML tags...
in your .php file use this -
echo htmlentities($_POST['addNote']);
and in your html file use single quote.
<input id="addNote" name="addNote" value="<div class='line'>This is my line</div>"/>
Related
I'm sure someone will mark this as a duplicate question but no other answers worked for me.
I am using ruby and passing a variable into my html page. Let's say my variable "camp_name" is equal to "abc'd"
<%=camp_name%>
This outputs "abc'd" which is what I want.
<input type="text" class="form-control" name="campaign_name" required value='<%=camp_name%>'>
The value in the field is now "abc" because of the single apostrophe. How do i get it to ignore apostrophes? Thanks.
You can escape the variable to html entities:
camp_name.gsub("'", "'")
You should do that for other characters as well, because, as mentioned by a comment, the user could simply insert an HTML tag in your page with your current script. Probably the most important ones are the following:
camp_name.gsub("<", "<")
camp_name.gsub(">", ">")
If you're using Rack (which would definitely be in use if you're using Rails or Sinatra, and it might be there even if you're not), there is a builtin for escaping HTML for just this kind of thing. Calling Rack::Utils#escape_html will replace ampersands, brackets, and quotes with their HTML entities (e.g. ' instead of ').
In your case, you'd want the following code:
<input type="text" class="form-control" name="campaign_name" required value='<%= Rack::Utils.escape_html(camp_name) %>'>
This would evaluate to:
<input type="text" class="form-control" name="campaign_name" required value='abc'd'>
which is the proper way of displaying an apostrophe in HTML.
Just as a side note, displaying user-submitted text without escaping on a website is a very bad idea, because malicious users can add arbitrary Javascript that could render your site useless, add advertisements, and more. You should definitely get into the habit of escaping any text that users can submit before displaying it, either by gsubing manually or using a helper method like this.
Storytime
In Play's templating scheme, I have this simplified setup:
#(param:String)
<!DOCTYPE html>
<html> <head><!-- JQuery & Bootstrap css+js includes --></head> <body>
#param
<input type="text" data-provide="typeahead" data-source='#Html(param)' data-items="4">
</body> </html>
The #Html() is mentioned here and the bottom of here and basically prevents characters like < from being replaced with <. I'm attempting to pass in a Json.stringify-ed and Json.toJson-ed List[String] that I get from my database into the HTML through Play's template engine, and then have Bootstrap pick it up automatically from the data-source attribute.
Say #param evaluates to a JSON object that contains a string with a ':
<input data-provide="typeahead" data-source='["can't","hi","boom"]' data-items="4" type="text" >
I realized that the single quote characters needed to be escaped in my data-source JSON object. At first I experimented with using \ and even \\\ to no avail. I even set out to write a regex replacer for the task to emulate the addSlashes() mentioned here
Then on a whim...
<input data-provide="typeahead" data-source='["can't","hi", "boom"]' data-items="4" type="text" >
Everything works normally now! (when the data-source is hardcoded. Still need to figure out how to unescape #Html() so that ' doesn't disappear.)
Question
Why does Bootstrap Typeahead need to read in the data-source with the single-quote characters unescaped?
For posterity:
val quoteRegex = """'""".r
quoteRegex.replaceAllIn(str, m => "'")
The problem with the single quotes is that it truncates your data-source attribute. The html parser is going to read your html and give you something like
<input data-provide="typeahead" data-source='["can' t","hi","boom"]' data-items="4" type="text" >
and your data-source attribute will have a value of ["can. So the problem isn't typeahead.
When you encode the single quote it no longer breaks the attribute and the encoded quote is added to the dom unencoded so you get the ' instead of '
This is probably a really simple one but I can't find the answer anywhere!
I have a self submitting form with a textarea field like this
<textarea name="desc" wrap="1" cols="64" rows="5"></textarea>
When I type HTML characters in to the textarea field and hit the submit button, the HTML characters are being stripped and I can't see what is doing it!
Do $_GET variables have their HTML stripped automatically?
For example, If I type '[strong]Just[/strong] a test' in to the textarea, and echo the contents of 'desc' like this
echo(print_r($_GET));
I see $_GET['desc'] contains 'Just a test' rather than '[strong]Just[/strong] a test'.
Is this normal? If so, is there a way to keep the HTML so I can store it in a database?
I am using angle '<>' brackets rather than square '[]' in my code, but this forum converts them if I use them here!
Use CDATA
A CDATA section starts with "<![CDATA[" and ends with "]]>"
Source : http://www.w3schools.com/xml/xml_cdata.asp
Where are you printing the data too? The web will parse the html and if you're not looking at the page source you're only going to see the non-html parts.
However, you should be using print html_entities($_GET['desc']) to print out the contents with the html content properly encoded so it's printed instead of parsed.
Well, I know that "correct" escaping will help to prevent SQL injection.
But I saw people escaping values in HTML
<input type="text" value =/"some/" /> <!-- some escaped, why? -->
Question is:
Why to escape in HTML?
<input type="text" value =/"some/" /> <!-- some escaped, why? -->
That is a syntax error. Don't do that.
Use character references to represent special characters (&, <, etc).
Why to escape in HTML?
(Assuming you use the correct syntax to do so): because some characters have special meaning in HTML. For example, you don't want a " (in the data) ending your attribute value prematurely since that can:
Lose data
Lose data but have it display in the page
Allow third parties to inject their JavaScript into your pages and steal data / redirect people to phishing sites / etc
I need to post multi-line data via a hidden field. The data will be viewed in a textarea after post. How can I post a newline/carriage return in the html form?
I've tried \r\n but that just posts the actual "\r\n" data
<input type="hidden" name="multiline_data" value="line one\r\nline two" />
Is there a way to do this?
Instead of using
<input type="hidden">
Try using
<textarea style="visibility:hidden;position:absolute;">
While new lines (Carriage Return & Line Feed) are technically allowed in <input>'s hidden state, they should be escaped for compatibility with older browsers. You can do this by replacing all Carriage Returns (\u000D or \r) and all Line Feeds (\u000A or \n) with proprietary strings that are recognized by your application to be a Carriage Return or New Line (and also escaped, if present in the original string).
Simply character entities don't work here, due to non-conforming browsers possibly knowing
and
are new lines and stripping them from the value.
Example
For example, in PHP, if you were to echo the passed value to a textarea, you would include the newlines (and unescaped string).
<textarea>Some text with a \ included
and a new line with \r\n as submitted value</textarea>
However, in PHP, if you were to echo the value to the value attribute of an <input> tag, you would escape the new lines with your proprietary strings (e.g. \r and \n), and escape any instances of your proprietary strings in the submitted value.
<input type="hidden" value="Some text with a \\ included\r\nand a new line\\r\\n as submitted value">
Then, before using the value elsewhere (inserting into a database, emailing, etc), be sure to unescape the submitted value, if necessary.
Reassurance
As further reassurance, I asked the WHATWG, and Ian Hickson, editor of the HTML spec currently, replied:
bfrohs Question about <input type=hidden> -- Are Line Feeds and Carriage Returns allowed in the value? They are specifically disallowed in Text state and Search state, but no mention is made for Hidden state. And, if not, is there an acceptable HTML solution for storing form data from a textarea?
Hixie yes, they are allowed // iirc // for legacy reasons you may wish to escape them though as some browsers normalise them away // i forget if we fixed that or not // in the spec
Source
Depends on the character set really but
should be linefeed and
should be carriage return. You should be able to use those in the value attribute.
You don't say what this is for or what technology you're using, but you need to be aware that you can't trust the hidden field to remain with value="line one
line two", because a hostile user can tamper with it before it gets sent back in the POST. Since you're putting the value in a <textarea> later, you will definitely be subject to, for example, cross site scripting attacks unless you verify and/or sanitize your "multiline_data" field contents before you write it back out.
When writing a value into a hidden field and reading it back, it's usually better to just keep it on the server, as an attribute of the session, or pageflow, or whatever your environment provides to do this kind of thing.