Web lists-archives.com

Re: [PHP] Dealing With User Entering a Script





On Jul 22, 2016, at 11:19 AM, Stephen wrote:

I dug back to see where I git the idea of using htmlentities() on user input.

This came from the book Modern PHP and deals with a user entering in a text box something like:

<script>window.location.href='http://example.com';</script>

Is there a better way of dealing with this?


For context, I am creating a user registration field and there is a textarea field for their bio.

Thank you!

--
Stephen

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


There should not be a problem with script code entered into a text field or textarea element because the browser treats it like a single quoted string.
So the script won't be run in the client.

I would have php look for embedded script tags and str_replace() them
when the form data is submitted. OR, if you are up on javascript, have it
intercept the submit process and clean the form input.

I have developed a crude way of editing source code that load anything
and every thing into a textarea element for editing with no worry of the
browser executing any code in the textarea. Even php open and close
tags in php script files won't cause it to run php code.

JK

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php