How to display html as text?

Question

I have a website that allows anyone to upload anything they want to my site, I've been having problems with people uploading phishing html's and I would like to show the html page as text instead of loading it but I'm not sure how I would go about doing that? I assumed it was something that could be done in htaccess but I can't find any information about it. I'm using Ubuntu with Apache. When someone uploads the html file I need to automate the process, I only need to disable html in one directory and this directory isn't shared with any html files that are supposed to display properly

Answer 1

Method 1

Create a .htaccess file at the root of your website and add this line:

[Apache2 @ Ubuntu/Debian: use this directive]

AddType application/plain .html .htm

The above will intercept and handle any html pages within your directory to run as plain text files.

Method 2

Alternatively, you can run a separate process that accepts incoming html pages and performs a conversion to plain text at runtime. A string replacement method will do the trick.

Answer 2

<xmp> 
 user content here
<xmp>

The <xmp> Element is obsolete but behaviour is defined in HTML5.
It's supported by all modern and unmodern Browser.

or, if you prefer valid HTML, this:

<body>
<script type=text/plain style=display:block>
 user content here 
</script>

You have to ensure that user content doesn't contain </xmp> or </script>, resp.

Answer 3

You can send it with Content-Type: text/plain; charset=UTF-8 header.

.htaccess:

AddType text/plain html

Answer 4

Maybe use this function:

function htmlEntities(str) {
    return String(str).replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;').replace(/"/g, '&quot;');
}

Source: https://css-tricks.com/snippets/javascript/htmlentities-for-javascript/