I have a form with a text box that posts data to a php file that uses the function "htmlentities" to make it safe to email to the website owner.
The problem is that someone managed to get a hyperlink in the text and htmlentities() does not remove it.
This is my textbox html:
<input name="usertext" type="text" />
This is my PHP code that receives the post data (I left the email code out because that's not the problem. I changed it to just echo the received data so I could try to replicate what the hacker did. If I know how he did it, I can find a way to stop it from happening):
echo trim(htmlentities($_POST["usertext"], ENT_QUOTES));
Now the hacker send some data and this was the result html (the source code - that means it showed a normal link in the browser):
<a target="_blank" href="mailto:[email protected]">[email protected]</a>
I thought that htmlentities() would always stop anyone from being able to enter html of any kind. If I enter a hyperlink such as:
<a href="aaa" />
I get:
<a href="aaa" />
But the hacker's text was not encoded like that.
So my questions are:
I did some research and it might be possible that the hacker encoded his text in utf-7 or something?
I have already received a few emails with these same links. This hacker is obviously testing my website to see if he can do XSS or something.
No, functions like htmlspecialchars and htmlentities do not protect against all cases of Cross-Site Scripting. Cases in which these function won't help are: The exploit data does not reach the server (DOM-based XSS).
htmlentities() Function: The htmlentities() function is an inbuilt function in PHP that is used to transform all characters which are applicable to HTML entities. This function converts all characters that are applicable to HTML entities.
The htmlentities() function converts characters to HTML entities. Tip: To convert HTML entities back to characters, use the html_entity_decode() function. Tip: Use the get_html_translation_table() function to return the translation table used by htmlentities().
Nice question! I think you can read this link that explain the problem and gives a solution.
The proposed solution is to specify to the browser (through a meta tag) which charset is used in the page.
I think strip_tags
exactly match your needs : http://php.net/manual/en/function.strip-tags.php
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With