Monday 13 May 2019

php - Sanitizing input but output not as expected



This is one of my forms(PHP+MySQL, textarea replaced by TinyMCE). It records description with paragraphs, bullets, headings and text alignment (right, left, center and justify).



enter image description here



Once submitted, the record appears as




Introduction


The death of the pixel leaves you with a flowing, magazine-quality canvas to design for. A canvas where curves are curves, not ugly pixel approximations of curves. A canvas that begins to blur the line between what we consider to be real and what we consider to be virtual.


It wasn't too long ago that there was one set of rules for use of type on print and use of type on screen. Now that we have screens that are essentially print quality, we have to reevaluate these conventions.


Web sites are transforming from boring fields of Arial to embrace the gamut of typographical possibilities offered by web fonts. Web fonts, combined with the style and layout options presented by the creative use of CSS and JavaScript offer a new world of typographic oppor



  1. point 1

  2. point 2

  3. point 3





I read that you need to sanitize any data that goes into the database to avoid XSS and started looking for a solution.



The solution I found is to use "htmlspecialchars()" (Source: Lynda.com - Creating Secure PHP Websites).



So, the tutorial says that we need to sanitize our input before saving to the database and use something like (sample code)



    if($_SERVER['REQUEST_METHOD'] === 'POST') {

$category_description = $_POST['category_description'];
echo $category_description;
echo '

';
echo htmlspecialchars($category_description);
echo '

';
echo htmlentities($category_description);
echo '

';
echo strip_tags($category_description);

}

?>


to avoid XSS.



I get it till here. The htmlspecialchars() function converts some predefined characters to HTML entities, htmlentities() converts characters to HTML entities and strip_tags() removes any tags altogether.



But after using htmlspecialchars(), htmlentities() and strip_tags(), the output now renders as



enter image description here




which I believe is safe but doesn't looks good on the front page when fetched from database.



How do I render an input which has been passed through htmlspecialchars or htmlentities?


Answer



My suggestion is to build a function to sanitize all your text inputs and a function to check all your outputs that comes from the database or any other sources, like following:



// filter for user input
function filterInput($content)

{
$content = trim($content);
$content = stripslashes($content);

return $content;
}

//filter for viewing data
function filterOutput($content)
{

$content = htmlentities($content, ENT_NOQUOTES);
$content = nl2br($content, false);

return $content;
}


depending on your strategy, you might added extra features to the filter or remove some. But what you have a function here is enough to protect you against XSS.



EDIT: in addition to above function, this answer might also be relevant in part of your website protection.




Reference to the different methods:





It is also a good idea to look at following links:





And importantly it is good to be aware of Top 10 risks and learn more about it.





No comments:

Post a Comment

php - file_get_contents shows unexpected output while reading a file

I want to output an inline jpg image as a base64 encoded string, however when I do this : $contents = file_get_contents($filename); print &q...