Reputation: 1204
I am developing an application and I am reading up on implementing security measures. I set up a class to automatically generate form elements and the class embeds php string variables within html to create the fields. I noticed, however, that htmlspecialchars()
was not necessary as I went to implement it. So I am attempting to pseudo-maliciously turn this:
<input type="text" name="email">... rest of html
into:
<input type="text" name="email"><br><br>
However, both before and after using htmlspecialchars(), my browser gives me this when I try to edit the frontend html:
<input type="text" name="email"><br><br>
Is this just something that is automatically implemented? If so, is this from a PHP update (I thought I found something about it being an update in PHP 5.4)?
Furthermore, can I abandon using htmlspecialchars()
?
More information requested:
$this->type = 'text' //what I would normally use
$this->type = 'text" name="name"><br><br>' //my attempt to manipulate the html
$output = "<input type='$this->type' name='$this->name'";
$output .= ... close the tag, etc.
echo $output;
Upvotes: 1
Views: 128
Reputation: 70863
Try this manipulation:
$this->type = 'text\' name="name"><br><br>' //my attempt to manipulate the html
It should break your HTML, because the delimiters for your attribute value are single quotes, and now they appear in your attribute text as well.
And please make sure not to use any sophisticated DOM inspectors like firebug, but to look at the pure source code that is emitted by your server.
Upvotes: 1
Reputation: 943216
The use of htmlspecialchars
is required whenever you take some text and insert it into some HTML as a string (unless you know that the text won't contain any characters with special meaning in HTML, but even then using htmlspecialchars
is a good habit to be in).
I can't explain why your unspecified input, when run through your unspecified code and then run through a browser's parser (with error recovery features), gives you that output.
After the question was updated:
$this->type = 'text" name="name"><br><br>' //my attempt to manipulate the html
$output = "<input type='$this->type' name='$this->name'";
Your attribute value is delimited with '
characters. Your data doesn't contain any '
characters, so it isn't going to terminate the attribute value and escape.
Upvotes: 3