tags:

views:

52

answers:

3

How can I prevent XSS but allow any characters to be used? Like I can post HTML code on a forum like <html><body><h1>Test</h1></html>, but it would not be rendered in the browser as html? How can I do this so it does not convert the characters in PHP?

A: 

You can make a string safe to output with htmlentities or htmlspecialchars. htmlentities is more thorough, as it encodes all entities, while htrmlspecialchars only transforms bracket, quote and the ampersand characters.

For instance, it changes < into &lt;, which is displayed by the browser as a < symbol rather than being is interpreted as the start of an HTML tag.

Alex JL
+2  A: 

Pass a string through the htmlspecialchars() function:

// Outputs HTML as literal characters
echo htmlspecialchars('<html><body><h1>Test</h1></html>');
BoltClock
A: 

An interesting approach is DOM + Tidy - Source

zengr