how to rescrict JS script being inserted in DB with php

Question

Hi all,

I have one problem regarding the data insertion in php.

In my site there is a message system.

so when my inbox loads it gives one javascript alert.

I have search a lot in my site and finally i found that some one have send me message with below text.

<script>
  alert(5)
</script>

So how can i restrict the script code being inserted in my data base..

I am running on php...

Thanks in advance.

Avinash

Answer 1

You can use strip_tags(). The second argument of this function will allow you to list an explicit list of which tags are allowable:

// Allow <p> and <a>, <script> will be stripped
echo strip_tags($text, '<p><a>');

You may also consider htmlspecialchars(), which converts characters like < into <, causing the browser to interpret them as text, rather than code:

$new = htmlspecialchars("<a href='test'>Test</a>", ENT_QUOTES);
echo $new; // &lt;a href=&#039;test&#039;&gt;Test&lt;/a&gt;

Answer 2

Take a look at the htmlspecialchars() function. It converts < > ' " and & to their html entity equilivents, meaning <script> will become <script>

Answer 3

User input should be escaped before outputting it.

Whenever you're displaying something a user submitted, run it through htmlspecialchars() first. This'll turn HTML code into safe output.

Answer 4

You should use strip_tags. If you still want to allow some HTML, then add a whitelist in the second parameter.

I should add a really big caveat here. If you're leaving any tags in a strip_tags whitelist, you can still be susceptible to javascript injection. Assume you're allowing the seemingly innocuous tags <strong> and <em>:

Strip tags will still allow all attributes, including event handlers
like <strong onmouseover="window.href=http://mydodgysite.com"&gt;this&lt;/strong&gt;.

You have a couple of serious options:

• strip_tags with no whitelist. Safe, but doesn't allow for any formatting, and may cause problems with strings like this: "x<y, but y>4" --> "x4"
• htmlentities. Use this when displaying the data on the screen (not on the data before you put it in the database). It's safe, but doesn't allow for formatting.
• A different markup system than HTML, for example: Markdown, Wiki markup, BB Code. Requires rendering to convert back to HTML, but it's mostly safe and can be quite flexible.

Answer 5

You should not restrict it to be inserted into the database (if StackOverflow would restrict it, we would not be able to post code examples here!)

You should better control how you display it. For instance, add htmlentities() or htmlspecialchars() to your echo call.

Answer 6

This is called XSS. There are numerous threads about it on SO.

• How to prevent XSS with HTML/PHP?
• What are the best practices for avoid xss attacks in a PHP site?
• XSS Attacks Prevention
• Is preventing XSS and SQL Injection as easy as does this…?

Answer 7

If I understand you right, you're just looking for two simple commands:

$message = str_replace($message, "<", "&lt;");
$message = str_replace($message, ">", "&gt;");

Answer 8

There is no problem with JavaScript code being stored in the database. The actual problem is with non-HTML content being taken from the database and displayed to the user as if it were HTML. The correct approach would be to make sure your rendering code treats text as text, not as HTML.

In PHP, this would be done by calling htmlspecialchars on the inbox contents when displaying the inbox (possibly along with nl2br and maybe turning links to <a> tags).

Avoid using striptags for text content: as an user, I might want to type a message like:

... and to create a link, use <a href="your-url-here">your-text-here</a> ...

striptags would eliminate the tag, htmlspecialchars would make the text appear as it was typed.