WhitehatGuru
Data containing HTML or Java Script can really be one of the BIGgest problem, specially when its is being specified by a ‘user’. For example simple application like Blog, where user can submit the comments after reading the post, which’s being displayed. If the user is ‘not-that-bad’ and enters only plain text, then seriously no problem. Let’s take if the user submit the data
<b><i>Post seems great.</i></b>
What will happen? The situation is not as easy as it seems to be, yet it gets complicated. Browsers will not be able to tell the difference between HTML tags which are displaying from Blog, it will directly get embedded in the comments.
It is still good if the user closes the HTML tags, like in above code. All the HTML codes are closed properly. If its not properly closed then this situation tends to get getting extremely bad, it will cause the browser to prevent page being displayed correctly. Like if someone submits the following the effects may not be that good!
<b or > or <a href="
The situation will get worse if it contains Java Script. A malicious personality can steal your cookies to his inbox, can redirect your pages to another web page, can burglarize your password which are saved in the ‘browser’. A lot of thing can be done by Java Script.
These kind of ‘problems where someone injects something which indirectly get many things’ are called XSS (Cross Site Scripting) attack.
If you think to be safe’f XSS then you need to work with code nicely and also keeping in mind that *you never should display the direct input from the user* will be an beneficial addon. You need to remove the HTML tags/Script first before displaying in the site.
You will feel good to know, Php gives you two functions to remove the HTML tags or encode the special characters.
1. strip_tags() : It removes the HTML tags from the string
2. htmlentities() : It encodes the special HTML characters.
Let’s see the how to use those functions:
//Remove the HTML to comments
$comment = strip_tags($_POST['comment']);
print $comment;if the ($_POST[‘comment’]) have
<b>Hi..</b> Your <div> <span>article</span> </div> seems <i>perfect.</i>
it will display simply.
Hi.. Your article seems perfect.
Now let’s see the htmlentities function:
//Remove the HTML to comments
$comment = htmlentities($_POST['comment']);
print $comment;if the ($_POST[‘comment’]) have
<b>Hi..</b> Your <div> <span>article</span> </div> is <i>awesome.</i>
It will display…
<b>Hi...</b> Your <div class="heading1"><
span>article</span></div> is <i> awesome. </i>The characters have been changed to
< to <
> to >
" to "e;
Now the browser will display the page as *if the browser's getting bizarre reading those damn not-so-good inputs from malicious user!* You also need to put a default value to being prevented form XSS.
Make an array of default value. See in the example
if ($_POST['_submit_check']){
$default = $_POST;
}
else {
$default = array('name' => 'abc',
'email' => 'abc@abc.com',
'web' => 'www.google.com',
'content' => 'xyz');
}See how to set the default value in multiline text area.
print '<textarea name="comment">';
print htmlentities($defalut['comment']);
print '</textarea>';This can be a way of how we can prevent injecting scripts… Reposted from ‘Kuwait Hackers‘