PHP htmlentities not enough to stop hackers injecting html from form

Question

I have a form with a text box that posts data to a php file that uses the function "htmlentities" to make it safe to email to the website owner.

The problem is that someone managed to get a hyperlink in the text and htmlentities() does not remove it.

This is my textbox html:

<input name="usertext" type="text" />

This is my PHP code that receives the post data (I left the email code out because that's not the problem. I changed it to just echo the received data so I could try to replicate what the hacker did. If I know how he did it, I can find a way to stop it from happening):

echo trim(htmlentities($_POST["usertext"], ENT_QUOTES));

Now the hacker send some data and this was the result html (the source code - that means it showed a normal link in the browser):

<a target="_blank" href="mailto:[email protected]">[email protected]</a>

I thought that htmlentities() would always stop anyone from being able to enter html of any kind. If I enter a hyperlink such as:

<a href="aaa" />

I get:

<a href="aaa" />

But the hacker's text was not encoded like that.

So my questions are:

1. How did the hacker enter html tags so that the htmlentities() function did nothing to it?
2. How would I replicate it for testing? (could be answered by above question)

I did some research and it might be possible that the hacker encoded his text in utf-7 or something?

I have already received a few emails with these same links. This hacker is obviously testing my website to see if he can do XSS or something.

Answer 1

Nice question! I think you can read this link that explain the problem and gives a solution.

The proposed solution is to specify to the browser (through a meta tag) which charset is used in the page.

Answer 2

I think strip_tags exactly match your needs : http://php.net/manual/en/function.strip-tags.php