unwanted <p><span><div> tags are being inserted into database

Question

I am using a form to insert text into a MySQL database.

When the user keys in text manually into the form, the results are inserted into the database perfectly.

However if the user copies and pastes text from say another web page, there are hidden p tags which are sent to the database with the text. The tags are not viewable within the form itself but when submitted they are still sent to the database.

If I then use a MySQL SELECT statement to display the results on a web page, the unwanted tags are displayed and they break the layout of my web page!

Therefore I just need to know how I stop unwanted 'p' 'span' and 'div' tags from being inserted into my MySQL database when I copy and paste text from another web page.

The web form in question is part of a content management system that I am building. I need the form to be bullet proof from a user point of view. And the reality is that users will more than likely be copying and pasting text from other websites and also possibly from word documents and I need to ensure that no unwanted 'p' 'span' and 'div' tags are inserted into the database when copied and pasted from third party sources.

Here is my code for the form:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Untitled</title>
<script type="text/javascript" src="http://www.achcreative.net/ckeditor/ckeditor.js"></script>
<link href="../elite.css" rel="stylesheet" type="text/css" />
</head>
<body>

<!--Begin Main Menu -->
<?php include("includes/menu.inc.php"); ?>
<!--End Main Menu -->

<h2 class="subheaderh2">Insert New News Entry</h2>  

<form method="post" action="insert_news.php">
<input name="publish" type="hidden" id="publish" value="publish" />  
<table>
<tr><td><p>News Title:</p></td></tr>
<tr><td><input name="newstitle" type="text" size="43" id="newstitle"></td></tr>
<tr><td><p>News Article:</p></td></tr>
<tr><td><textarea name="newsarticle" cols="40" rows="10" id="newsarticle"></textarea>

<script type="text/javascript">
//<![CDATA[

// Replace the <textarea id="editor"> with an CKEditor
// instance, using default configurations.
CKEDITOR.replace( 'newsarticle', 
    {
        toolbar :
        [
            [ 'Bold', 'Italic', '-', 'NumberedList', 'BulletedList', '-', 'Link', 'Unlink' ],
        ]
    });
//]]>
</script>
</td></tr>
<tr><td height="30" colspan="2"><input type="submit" value="Submit"></td></tr>  
</table></form>
<p><a href="news_results.php">Return</a></p>
</body>
</html>

Here is my code for the form processing script:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Untitled</title>
</head>

<body>
<h2 class="subheaderh2">News Entry Results</h2>

<?php
// create short variable names
$newstitle=$_POST['newstitle'];
$newsarticle=$_POST['newsarticle'];
$publish=$_POST['publish'];

if (!$newstitle || !$newsarticle)
{
 echo '<p>You have not entered all the required details.<br />'
      .'Please go back and try again.</p>'
      .'<p><a href="javascript:history.go(-1)">Return</a></p>';
 exit;
}

if (!get_magic_quotes_gpc())
{
$newstitle = addslashes($newstitle);
$newsarticle = addslashes($newsarticle);
}

$time = date("l jS F Y - g:iA");

// connect to the database
include('../connect-db.php');

/* Create the prepared statement */
if ($stmt = $mysqli->prepare("INSERT INTO news (id, newstitle, newsarticle, date, archive) values (NULL, ?, ?, NOW(), ?)")) {

/* Bind our params */
$stmt->bind_param('sss', $newstitle, $newsarticle, $publish);

/* Set our params */
$newstitle=$_POST['newstitle'];
$newsarticle=$_POST['newsarticle'];
$publish=$_POST['publish'];

/* Execute the prepared Statement */
$stmt->execute();

/* Echo results */
echo "{$newstitle}";
echo "<br />{$newsarticle}";
echo "Inserted into database on: ";
echo "$time";
echo "<br />";
echo "<br />";
echo '<a href="news_results.php">view results</a>';

/* Close the statement */
$stmt->close(); 
}
else {
/* Error */
printf("Prepared Statement Error: %s\n", $mysqli->error);
}

/* close our connection */
$mysqli->close();

?>

</body>
</html>

Many thanks in advance

Regards

Andrew

Answer 1

CKEditor offers a large number of configuration options that affect the final output of the content.

If you don't want HTML tags included when something is pasted into the editor, you can force paste operations to be text only, which will strip out HTML tags.

config.forcePasteAsPlainText = true;

It would be helpful if you could include an example of problematic content that is copied from another web page and pasted into the editor. Include the following three pieces.

1) The portion of the web page that was copied.

2) The source code from that web page for the portion that is being copied.

3) The source code of the CKEditor content after the paste operation.

To see the source code within the editor, you'll need to temporarily add the "Source" button back into your toolbar:

CKEDITOR.replace( 'newsarticle', 
    {
        toolbar :
        [
            [ 'Source','Bold', 'Italic', '-', 'NumberedList', 'BulletedList', '-', 'Link', 'Unlink' ],
        ]
    });

After the paste operation, click the source button and copy the content that was pasted. This will allow you to see exactly what is happening.

The list of configuration options is available here:
CKEditor 3 JavaScript API Documentation Namespace CKEDITOR.config

Answer 2

I want to point out that your code is vulnerable to XSS.

Now back to your question:

you probably use a html editor. Try to strip remove unwanted tags before them go submitted with javascript and onsubmit attribute. You can strip the tags with following regex:

value_of_editor.replace(/<[^>]+>/g,'');

Also make sure to dont output raw html but escape html before sending html to client.

Update: It's not necessary to put escaped message to database - i think its just waste of length of data. And you should always check what you are outputting to client.

Answer 3

You can use the strip_tags() function on the text that needs to be inserted in your database.

Here's the reference

Answer 4

You should use the function strip_tags in order to strip (obvious) tags and potentially harmful code off of strings. (be it html or php code)

$foo = strip_tags('<b>code with html</b>'); // $foo will be "code with html"