Good evening, I have a form serving data entry that is displayed on the screen. The problem is that this data can be html tags or scripts, if someone puts this code in my form, the page will be redirected.
<meta http-equiv="refresh" content="6; url=http://pt.stackoverflow.com/">
How could I clean html tags or any other malicious injection type?
strip_tags () allows other types of XSS then use htmlspecialchars ()
echo htmlspecialchars($Variavel, ENT_QUOTES, 'UTF-8');
Let's begin in parts, what you want and protect yourself from the XSS , your data entry is enabling the injection of commands or markings, we will analyze this well to be able to create a solution 100% functional, in security we must be calculating.
Let's put two scenarios for this situation
<input type="text" value="$Suspeito">
And another common good is when we put the content into a div
<div class="container" id="ct">
<?php echo $Suspeito ?>
</div>
Now, let's replace this variable with an xss classic
It does not work!
<input type="text" value="<script> alert("Xss here");</script> ">
It works!
<div class="container" id="ct">
<script> alert("Xss here");</script>
</div>
We can add extra protection using strip_tags () to escape the tags!
Let's see how it would look if our variable had a protection with strip_tags ()
It does not work!
<input type="text" value="alert("Xss here"); ">
It does not work!
<div class="container" id="ct">
alert("Xss here");
</div>
Just like in Brazil, there is a way for everything and this solution is far from solving any problem, just use your imagination.
imagine this situation, apparently there are no problems right?
Wrong, let's force our imagination, I need to fuck with this code without using tags
<?php $Suspeito = '" onfocus=document.write("");" fecha="';
<input type="text" value="" onfocus=document.write("");" fecha="">
Oops, now has trouble, is that just the one?
';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";
alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
'';!--"<XSS>=&{()}
<IMG SRC="javascript:alert('XSS');">
<IMG SRC=javascript:a&
#0000108ert('XSS')>
By limiting encoding to UTF-8 and using htmlspecialchars, it becomes possible to use tags and scripts in html without having any effect on the page, the characters are disubstituted by < > will flick
You want to know how you can pull these tags, if you enter it in the text field to add to the mysql database, avoiding unnecessary redirects in ECHO, am I right?
If SIM
You can use strip_tags() function that removes html tags from strings.
There are ways and ways to solve problems, I personally prefer to use PHP in the right way when it comes to PHP, because in the language there are numerous solutions to everyday problems, where juggling is usually done to arrive at the same solution.
Whenever you get information from an unknown source, such as sending information from a form, you should always treat the input and output information, whether it is sent or received from a database or on the HTML page itself .
In the PHP language there are filters , which are used to validate (as in the case of validation of (such as FILTER_SANITIZE_STRING, which cleans strings and FILTER_SANITIZE_EMAIL, which clears characters that are not used to construct an e-mail). These filters work in conjunction with the filter_var function, filter_input and others.
Considering the PHP documentation and the PHP reference the right way I would use the example below:
<?php
//inseguro
$input = 'alert("ola")';
echo $input;
//seguro
$input_filter = filter_var($input, FILTER_SANITIZE_STRING);
echo "<br>". $input_filter;
Example on ideone: link