#native_company# #native_desc#

Displaying Formatted User Input

By Ying Zhang
on July 30, 2000

This document describes how to display safely formatted output from user
input. We will discuss the dangers of displaying unfiltered output
and then provide a safe means of displaying formatted output. Download the attachment and extract it into
your web documents directory.

Dangers of Unfiltered Output

If you just took the user’s input and displayed it as is, you may break
your webpage. For example, someone can maliciously embed javascript
in their comment like:

This is my comment. 
<script language="javascript: 
alert('Do something bad here!')">.

Even if the user had no bad intentions, they may accidentally put some
HTML that breaks your site layout. For example if you displayed the
user’s input in a table and they included an improperly nested </table>
tag, your page appears broken.

Displaying Plain Text Only

The easiest solution would be to only display plain text in the comment.
Using the htmlspecialchars() function, you convert all the special
characters into HTML entites. For example <b> would become
turning it into text instead of an HTML tag. This guarantees that
there are no HTML markups in the comment that would produce unwanted output.
This is an okay solution if your guests don’t mind entering in only
plain text, but it would be a lot better if you gave them some formatting


Download: ying20000718.zip