This document describes how to display safely formatted output from user
input. We will discuss the dangers of displaying unfiltered output
and then provide a safe means of displaying formatted output. Download the attachment and extract it into
your web documents directory.
input. We will discuss the dangers of displaying unfiltered output
and then provide a safe means of displaying formatted output. Download the attachment and extract it into
your web documents directory.
Dangers of Unfiltered Output
If you just took the user’s input and displayed it as is, you may break
your webpage. For example, someone can maliciously embed javascript
in their comment like:
your webpage. For example, someone can maliciously embed javascript
in their comment like:
This is my comment. <script language="javascript: alert('Do something bad here!')">.
Even if the user had no bad intentions, they may accidentally put some
HTML that breaks your site layout. For example if you displayed the
user’s input in a table and they included an improperly nested </table>
tag, your page appears broken.
Displaying Plain Text Only
The easiest solution would be to only display plain text in the comment.
Using the htmlspecialchars() function, you convert all the special
characters into HTML entites. For example <b> would become
<b>,
turning it into text instead of an HTML tag. This guarantees that
there are no HTML markups in the comment that would produce unwanted output.
Using the htmlspecialchars() function, you convert all the special
characters into HTML entites. For example <b> would become
<b>,
turning it into text instead of an HTML tag. This guarantees that
there are no HTML markups in the comment that would produce unwanted output.
This is an okay solution if your guests don’t mind entering in only
plain text, but it would be a lot better if you gave them some formatting
abilities.
plain text, but it would be a lot better if you gave them some formatting
abilities.
Download: ying20000718.zip