Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming What do you do with html injections?
What do you do with html injections?
  • El Forum
    Guest
  •  
#1
03-21-2012, 12:15 PM

[eluser]Mr.Data[/eluser]
Hello!
The page I created contains almost everywhere some forms where the user can type in some content which is displayed afterwards. If someone types in some html code I don't want this code to be rendered but it should be cleaned by a php function like htmlentities(). It is possible that I manually add the htmlentities() function to each output but can't you do this globally? What do you do if you come into such a situation?
  • El Forum
    Guest
  •  
#2
03-21-2012, 12:43 PM

[eluser]CroNiX[/eluser]
Take a look at the form validation library.
  • El Forum
    Guest
  •  
#3
03-21-2012, 01:41 PM

[eluser]Mr.Data[/eluser]
The prepping functions of the form validation class only can be used to filter form content in order to save it later and not to display it. Moreover I can't see an option there to do it globally.
  • El Forum
    Guest
  •  
#4
03-21-2012, 01:48 PM

[eluser]CroNiX[/eluser]
I guess you missed reading the note right under the Prepping Functions section. You sure can display it without saving to the database. It's still stored in the post variable (the manipulated version if it passes validation). You're right, there isn't a default global option to do what you want.
  • El Forum
    Guest
  •  
#5
03-22-2012, 12:26 AM

[eluser]PhilTem[/eluser]
For user input: Prepare the post-variables to not contain any harmful code (use e.g. xss-filtering)

For user output: Easiest way is to use htmlentities to convert each character to its corresponding html-entity. & turns to &, ...
A more advanced approach is to use something like http://htmlpurifier.org because you have more control over how the original input data will be changed.
  • El Forum
    Guest
  •  
#6
03-22-2012, 09:37 AM

[eluser]Mr.Data[/eluser]
Would it be a solution to apply htmlentities to each element of the array you send to the view?
Something like this:
Code:
$data = ...; // everything which should be displayed within the view
$data = array_map('htmlentities',$data);  
$this->load->view('view', $data);
  • El Forum
    Guest
  •  
#7
03-23-2012, 02:40 AM

[eluser]PhilTem[/eluser]
That's the easiest method. But be careful with htmlentities' arguments. If you have set your pages' and datbase's charset to UTF-8 then you will get strange output from htmlentities since

Quote:If omitted, the default value for this argument is ISO-8859-1 in versions of PHP prior to 5.4.0, and UTF-8 from PHP 5.4.0 onwards
(from php.net)




Theme © iAndrew 2016 - Forum software by © MyBB