Previous | Home | Next |
Whenever you create a web Page and allow your users to submit text to your website, then you need in your website to be careful that you don't leave any security holes open for malicious users to exploit. If you are ever going to allow user submitted text to be visible by the public you should consider using the html entities function to prevent them from running html code and scripts that may be harmful to your visitors.
In PHP to Converting HTML into Entities
The html entities function takes a string and returns the same string. and it's working with HTML converting into HTML entities.
Example:
The string "<script>" would be converted to "<script>". And another the By converting into the < and > into entities, it's prevents the browser from using it as an HTML element and it prevents the code from running if you were to display some user's input on your website.
If you think of the way a browser works, in separate stages, then it's becomes a little easier. Let's look at the way the function html entities changes the data at three different levels: in PHP, in raw HTML and in the web browser. The sample string is a bad script that will redirect visitors to the malicious user's own website.
// An imaginary article submission from a bad user // it will redirect anyone to www.r4r.co.in if the code is run in a browser $userInput = "r4rtechoft is a very useful site !" <script type='text/javascript'> window.location = 'http://www.r4r.co.in/' </script>'"; //Lets make it safer before we use it $userInputEntities = htmlentities($userInput); //Now we can display it echo $userInputEntities;
Output:The HTML output of the above script would be as follows:
Safe Raw HTML Code:
r4rtechoft is a very useful site ! <script type='text/javascript'> window.location = 'http://www.r4r.co.in/' </script>'
If we had not used html entities to convert any HTML code into safe entities, this is what the raw HTML code would be and it would have redirect a visitor to www.r4r.co.in
Dangerous Raw HTML Code:
r4rtechoft is avey useful site ! <script type='text/javascript'> window.location = 'http://www.r4r.co.in/' </script>'
There are two HTML code examples are what you would see if you were to view source on the web page. However, if you were just viewing the output normally in your browser you would see the following:
Safe Display:
r4rtechoft is a very useful site ! <script type='text/javascript'> window.location = 'http://www.r4r.co.in/' </script>'
Dangerous Display:
You'd see whatever spammer site that the malicious user had sent you to. Probably some herbal supplement site or weight loss pills would be displayed.
When Would You Use html entities?
you allowing users to submitting content to your website, that other visitors can see, you should consider removing the ability to let them use HTML. Although this will remove a lot of cool things that your users can do, like making heavily customized content, it will prevent your site from a lot of common attacks. With some custom coding you can just remove specific tags from running.
Previous | Home | Next |