MyBB Community Forums

MyBB Community Forums > Community > General Discussion > Web Development and Administration > HTML Security
Full Version: HTML Security
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2

Eric

2010-09-28, 04:52 AM
Guys, I've just recently started programming, and I need some help. I have a form, and for some reason I can't get it to filter out the HTML. I really need some help with this. I'd like that, if HTML is entered, it displays as the same text they entered. Meaning <b>test</b> would display as <b>test</b> instead of test.


Thanks

Lyndon D.

2010-09-28, 05:06 AM
well you can put it in code tags (<code>)

or


&lt; = <
&gt; = >

http://www.ascii.cl/htmlcodes.htm

Eric

2010-09-28, 05:14 AM
Does that prevent the code from being executed?

- G33K -

2010-09-28, 05:41 AM
(2010-09-28, 04:52 AM)Ooka Wrote: [ -> ]Guys, I've just recently started programming, and I need some help. I have a form, and for some reason I can't get it to filter out the HTML. I really need some help with this. I'd like that, if HTML is entered, it displays as the same text they entered. Meaning <b>test</b> would display as <b>test</b> instead of test.


Thanks

Run the text you get from the form through htmlspecialchars before using it anywhere.
This is assuming you use php, you can use similar functions in other languages.

Eric

2010-09-28, 05:48 AM
Yeah, I use php, and when and where would I put this? In the form, before processing the information, in the output display, or what? :o

- G33K -

2010-09-28, 05:54 AM
(2010-09-28, 05:48 AM)Ooka Wrote: [ -> ]Yeah, I use php, and when and where would I put this? In the form, before processing the information, in the output display, or what? :o

Ideally before processing the information, unless you need it intact for the processing in which case, before it goes out to the display

Eric

2010-09-28, 05:57 AM
So is this how it could be used?

$new = htmlspecialchars('$_POST[message]', ENT_QUOTES);
echo $new;

Or am I doing it wrong? Toungue
Sorry to be such a bother.

- G33K -

2010-09-28, 06:01 AM
(2010-09-28, 05:57 AM)Ooka Wrote: [ -> ]
$new = htmlspecialchars('$_POST[message]', ENT_QUOTES);
echo '$_POST[message]';
Think about it, you just ran htmlspecialchars on $POST['message'] and saved it in $new but then you echoed out $_POST['message'] which hasn't changed.

Do this instead:
$new = htmlspecialchars($_POST['message'], ENT_QUOTES);
echo $new;

Eric

2010-09-28, 06:30 AM
Damn, still isn't working for me lol. I'll figure something out I suppose. Just seems like the first line will only work in the file that processes the information, and the second line will only work in the output, and at the same time they won't work together.

I KNOW this is my problem, lol, just don't know what I'm doing wrong. XD

Thanks a bunch for all your help though.

Anman

2010-09-28, 07:07 AM
Just do

echo htmlentities($_POST['message']);
Pages: 1 2
MyBB Community Forums > Community > General Discussion > Web Development and Administration > HTML Security