Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

PHP htmlentities not enough to stop hackers injecting html from form

I have a form with a text box that posts data to a php file that uses the function "htmlentities" to make it safe to email to the website owner.

The problem is that someone managed to get a hyperlink in the text and htmlentities() does not remove it.

This is my textbox html:

<input name="usertext" type="text" />

This is my PHP code that receives the post data (I left the email code out because that's not the problem. I changed it to just echo the received data so I could try to replicate what the hacker did. If I know how he did it, I can find a way to stop it from happening):

echo trim(htmlentities($_POST["usertext"], ENT_QUOTES));

Now the hacker send some data and this was the result html (the source code - that means it showed a normal link in the browser):

<a target="_blank" href="mailto:[email protected]">[email protected]</a>

I thought that htmlentities() would always stop anyone from being able to enter html of any kind. If I enter a hyperlink such as:

<a href="aaa" />

I get:

&lt;a href="aaa" /&gt;

But the hacker's text was not encoded like that.

So my questions are:

  1. How did the hacker enter html tags so that the htmlentities() function did nothing to it?
  2. How would I replicate it for testing? (could be answered by above question)

I did some research and it might be possible that the hacker encoded his text in utf-7 or something?

I have already received a few emails with these same links. This hacker is obviously testing my website to see if he can do XSS or something.

like image 568
Daniel Avatar asked Jan 10 '13 14:01

Daniel


People also ask

Is Htmlentities secure?

No, functions like htmlspecialchars and htmlentities do not protect against all cases of Cross-Site Scripting. Cases in which these function won't help are: The exploit data does not reach the server (DOM-based XSS).

What is the use of Htmlentities () function in PHP?

htmlentities() Function: The htmlentities() function is an inbuilt function in PHP that is used to transform all characters which are applicable to HTML entities. This function converts all characters that are applicable to HTML entities.

What is the purpose of Htmlentities () function?

The htmlentities() function converts characters to HTML entities. Tip: To convert HTML entities back to characters, use the html_entity_decode() function. Tip: Use the get_html_translation_table() function to return the translation table used by htmlentities().


2 Answers

Nice question! I think you can read this link that explain the problem and gives a solution.

The proposed solution is to specify to the browser (through a meta tag) which charset is used in the page.

like image 156
Alepac Avatar answered Oct 21 '22 17:10

Alepac


I think strip_tags exactly match your needs : http://php.net/manual/en/function.strip-tags.php

like image 24
Epoc Avatar answered Oct 21 '22 16:10

Epoc