Reputation: 1181
Prevent XSS but allow all characters?
How can I prevent XSS but allow any characters to be used? Like I can post HTML code on a forum like <html><body><h1>Test</h1></html>, but it would not be rendered in the browser as html? How can I do this so it does not convert the characters in PHP?
Upvotes: 0
Views: 365
Answers (3)
Reputation: 724402
Pass a string through the htmlspecialchars() function:
// Outputs HTML as literal characters
echo htmlspecialchars('<html><body><h1>Test</h1></html>');
Upvotes: 2
Reputation: 21563
You can make a string safe to output with htmlentities or htmlspecialchars. htmlentities is more thorough, as it encodes all entities, while htrmlspecialchars only transforms bracket, quote and the ampersand characters.
For instance, it changes < into <, which is displayed by the browser as a < symbol rather than being is interpreted as the start of an HTML tag.
Upvotes: 0
Related Questions
- How can I prevent XSS with HTML/PHP?
- PHP Prevent xss
- Preventing XSS from within HTML elements
- Preventing XSS but still allowing some HTML in PHP
- How to filter XSS out but still allow basic formatting tags
- Remove XSS attacks while still allowing html?
- How to prevent XSS in my site?
- prevent xss but allow all html tags
- How to allow some tags but block others for XSS
- Preventing XSS with PHP