yathrakaaran
Reputation: 189
Writing code using HTML-escaping to avoid cross site scripting attack
I am a PHP newbie. This is part of a gallery code. I recently read about SQL injection and cross site scripting attack, I am trying to avoid that by html escaping on dynamically produced data. I am not sure if I am heading in the right direction here. I created an array with URL parameters then a function for HTML escaping. Can you critique this code and let me know what I am doing wrong please?
$parameters_new = array('name' => $name,'pcaption' => $caption_array[$new]);
function html_escape($input, $encoding)
{
return htmlentities($input, ENT_QUOTES, $encoding);
}
$result_final .= '<div class="limage"><table><tr><td><table class="image"><tr><td><a href="' . html_escape('gallery.php?' . http_build_query($parameters_new), 'UTF-8') . '">
<img src="'. $img_dir . '/' .$photo_filename.'" alt=" ' . $photo_keywords . '"></a>
<div class="caption">'.$photo_caption.'</div><div class="excerpt">'.$photo_description.'</div></td></tr></table></td></tr></table><div class="underline"></div>;
Upvotes: 0
Views: 127
Answers (1)
Avara
Reputation: 2103
I recommend you that use a template system or you create your own.
Template systems, like Smarty, could scape your vars
You could see this question: Why should I use templating system in PHP?
Upvotes: 1
Related Questions
- Preserve HTML code without XSS Injection?
- Escaping HTML in JavaScript
- Trying to get rid of Cross-Site Scripting (XXS) vulnerablity in code
- Escape HTML to process PHP
- How to prevent cross site scripting
- Escaping variables
- Escape from XSS vulnerability maintaining Markdown syntax?
- How can I escape all code within <code></code> tags to allow people to post code?
- Escaping html element in PHP string to prevent invalid output to browser?
- How should I escape?