How to prevent html or javascript injection with server-side php

Question

Hoping this isn't a duplicate, I couldn't find an original question on the topic. If you have an area for users to input data, how do you store and retrieve the data without them inserting javascript or html?

As an example, say a user is making a forum post. They decide to write an html list or javascript function that runs when the post is viewed. How do you mitigate this when you receive their input on the server-side? Specifically a server'side of PHP.

• Remove parts of their string data based on patterns?
• Use an html tag around their entry like ?

Thanks

Answer 1

There are lots of tutorials out there on preventing code injections. Microsoft's is pretty comprehensive found here.

For html injects depending on how thorough you want to be you can usually just put in a string parser to check for <> and remove them without given exceptions.

Answer 2

I use HTML Purifier to strip out the bits I don't want and leave in the bits I do. The default rules are pretty good, but it offers enormous flexibility if you need it.

Answer 3

All you have to do, going for the bare minimum, is replace < with <.

Answer 4

You have to remove or translate the offending parts of their post. You can do it once as the post is coming in, and save the translated post in the database, or you can do it every time you display the post, and store the raw post in the database. Both approaches have their good and bad points.

As to how to strip the bad stuff, using simple matching to replace all < and > with &lt; and &gt; goes a long way -- but there's plenty more to do besides that.