This document describes how to display safely formatted output from user
input. We will discuss the dangers of displaying unfiltered output
and then provide a safe means of displaying formatted output. Download
ying20000718.zip and extract it into
your web documents directory.
If you just took the user's input and displayed it as is, you may break
your webpage. For example, someone can maliciously embed javascript
in their comment like:
This is my comment.
<script language="javascript:
alert('Do something bad here!')">.
Even if the user had no bad intentions, they may accidentally put some
HTML that breaks your site layout. For example if you displayed the
user's input in a table and they included an improperly nested
</table>
tag, your page appears broken.
The easiest solution would be to only display plain text in the comment.
Using the htmlspecialchars() function, you convert all the special
characters into HTML entites. For example <b> would become
<b>,
turning it into text instead of an HTML tag. This guarantees that
there are no HTML markups in the comment that would produce unwanted output.
This is an okay solution if your guests don't mind entering in only
plain text, but it would be a lot better if you gave them some formatting
abilities.
| Comments: |
| ±â³×½ººÏ µµÀü, 100¹è »¡¶óÁö°í ½¬¿öÁø ¿µ¾î¿ø¸® | ÀÌÈƱâ | 11/15/05 22:34 |
| RE: Unclosed Tags? | Filipe | 02/21/05 19:50 |
| ½Å.¿ë.ºÒ.·®ÀÚ°¡ ¾Ë¾Æ¾ßÇÒ Á¤.º¸/´ë°ø°³ | ÇÏÁö¿¬ | 12/28/04 02:21 |
| Ä«/µå/µ¹·Á¸·±â·Î/¸Á°¡Áö½ÅºÐ/²À º¸¼¼¿ä! | ÀÌÇýÁø | 12/07/04 06:18 |
| Ä«,µå,¿¬,ü,ÀÚ/¿¹.Á¤.ÀÚ ´ë,Ãâ 100-1000¸¸¿ø | ÀÌ´ÙÇö | 12/05/04 06:47 |
| ´ë'Ãâ'°Å'Àý'½Ã'100%µÇ'°Ô'ÇÏ'´Â'¹æ'¹ý | ÇÑ°æ¿í | 12/04/04 21:45 |
| ½Å.¿ë.ºÒ.·®.ÀÚ/´çÀÏ500/´ë.Ãâ.ºñ.¹ý | ÀÌÈñÁø | 12/02/04 09:27 |
| ½Å.¿ë.ºÒ.·®/Ä«.µå.¿¬.ü/´ë.Ãâ/È¥ÀÚ/ÇØ.°áÇÏ´Â/¹æ.¹ý | ±èÇö¼ | 11/27/04 23:55 |
| ½Å.¿ë.ºÒ.·®.ÀÚ/´çÀÏ500/´ë.Ãâ.ºñ.¹ý | ÀÌÈñÁø | 11/27/04 12:32 |
| ´ë'Ãâ'°Å'Àý'½Ã'100%µÇ'°Ô'ÇÏ'´Â'¹æ'¹ý | ÇÑ°æ¹Î | 11/23/04 11:11 |
| ½Å.¿ëºÒ.·®ÀÚ°¡ ¾Ë¾Æ¾ßÇÒ Á¤.º¸ ´ë.°ø.°³ | ÀÌ´ÙÁø | 11/22/04 03:08 |
| Ä«/µå/µ¹·Á¸·±â·Î/¸Á°¡Áö½ÅºÐ/²À º¸¼¼¿ä! | ÀÌÁ¤¿¬ | 11/18/04 13:03 |
| 5.ºÐ.¸¸¿¡ 4.0¸¸.¿ø ¹«,ÀÌ.ÀÚ·Î ºô.¸®±â | Áö¿µÈñ | 11/17/04 12:43 |
| Ä«.µå.±ø.¾È.ÇÏ.°í.µ·.¸¸.µé.¾î.¾².´Â.ºñ.¹ý | ÀÌÈñÁø | 11/15/04 10:25 |
| RE: off topic | Amo | 10/29/03 19:40 |
| Thanks Ying | bacaribaro | 08/05/03 12:50 |
| multiple page forms / formatting output | Jose candelaria | 10/24/02 22:29 |
| Use real HTML in input, but safely | Bastiaan | 09/22/02 04:19 |
| Database Driven Version in PHP | Robert Taylor (Manix) | 08/20/02 16:15 |
| RE: this is exactly what i wanted to know | Tony Reid | 07/21/02 16:35 |
| RE: saving user input in database | craig jardine | 05/04/02 08:28 |
| YOU ROCK! | Ernest Correale | 05/01/02 10:54 |
| SQL Error 1064 when $output contains a ' | James Wyld | 04/25/02 22:12 |
| off topic | jeff | 03/12/02 23:50 |
| replace, but not between <t>hes</e> | Tsunami | 01/21/02 16:00 |
| this is great! | Leah Yates | 12/20/01 15:36 |
| RE: parenthesis | RockMonkey | 10/28/01 20:47 |
| parenthesis | andrew b | 08/27/01 15:14 |
| saving user input in database | rishabh gupta | 08/16/01 10:15 |
| Easy Way | Darren Valentine | 07/27/01 05:26 |
| RE: JavaScript Auto Formatting? | Richard | 06/27/01 06:25 |
| html<->pseudo | juozas salna | 05/07/01 07:14 |
| General script for replacing pseudo-markup | Jakob Persson | 04/27/01 09:13 |
| RE: Generating links | Vargo | 03/17/01 08:59 |
| Generating links | Leo Miyagi | 02/19/01 10:23 |
| php to call data needed | lei | 02/11/01 01:07 |
| UBB code translation function | Zulu | 12/01/00 05:52 |
| JavaScript Auto Formatting? | Frank | 11/27/00 06:02 |
| RE: yeah , but i'm slow like turtle | Oliwier | 09/30/00 18:20 |
| RE: mouseovers in links | Ying Zhang | 09/05/00 00:40 |
| mouseovers in links | Joe Sheble | 08/30/00 18:30 |
| Editing formated code | J. Kobinski | 08/06/00 15:17 |
| RE: Unclosed Tags? | Cédric CHERCHI | 08/01/00 12:01 |
| RE: yeah , but i'm slow like turtle | Sean Pecor | 07/25/00 20:05 |
| RE: yeah , but i'm slow like turtle | Adrian Kubala | 07/25/00 12:15 |
| RE: str_tags | Ying Zhang | 07/24/00 05:05 |
| RE: Unclosed Tags? | Keita Ito | 07/23/00 18:01 |
| RE: instead of custom markup languages... | Keita Ito | 07/23/00 17:56 |
| RE: instead of custom markup languages... | Keita Ito | 07/23/00 17:53 |
| RE: instead of custom markup languages... | Ben Munoz | 07/21/00 14:01 |
| instead of custom markup languages... | Ben Munoz | 07/21/00 13:56 |
| Unclosed Tags? | Brian Mertens | 07/21/00 00:44 |
| yeah , but i'm slow like turtle | philip olson | 07/21/00 00:33 |
| Similar | Mike Hall | 07/20/00 05:11 |
| RE: An addition | Vincent Vollers | 07/20/00 04:52 |
| RE: An addition | Doug MacDougall | 07/20/00 01:18 |
| Just use HTML.. life is complicated enough | Doug MacDougall | 07/20/00 01:06 |
| RE: str_tags | Steve Yelvington | 07/19/00 19:45 |
| An addition | Vincent Vollers | 07/19/00 13:18 |
| str_tags | Matt | 07/19/00 11:45 |
| this is exactly what i wanted to know | philip olson | 07/19/00 00:17 |
|
If you are looking for help, please post on the appropriate forum here. Your questions will be answered much more quickly.
|
