Home/ Questions/Q 7187541
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-28T18:52:08+00:00

I am working on a website where users can edit their page in HTML

  • 0

I am working on a website where users can edit their page in HTML language. I want to add a menubar to every page, which loads some info from database, so it has to be a PHP file. To achieve this I enabled running PHP code in HTML pages in the .htaccess file. The problem is that users can now write some PHP stuff in their HTML files and run it. How could I fix this? Is there any other method to automatically add the menubar to all pages for all users?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    There are multiple options to your dilemma:

    • You can use HTMLPurifier (which you might want to do anyway) to clean up the user-submitted content. That will get rid of PHP as well.

    • You could inject the menubar right when saving the user-submitted pages into plain .html pages. (You’d still run into harmful Javascript submissions.)

    • And/Or use a more stringent wrapper script which does not execute the user data.

    Something like that:

    <?php
   readfile("menubar.html");
   readfile("userdata/" . basename($_GET["htmlpage"]));
   readfile("footer.html");

    Then set up a RewriteRule instead to pipe all html file requests through that script:

     # in userdata/
 RewriteRule ^(\w+\.html)$  ../addmenubar.php?htmlpage=$1
    • 0