I have a form with a text box that posts data to a php file that uses the function “htmlentities” to make it safe to email to the website owner.
The problem is that someone managed to get a hyperlink in the text and htmlentities() does not remove it.
This is my textbox html:
<input name="usertext" type="text" />
This is my PHP code that receives the post data (I left the email code out because that’s not the problem. I changed it to just echo the received data so I could try to replicate what the hacker did. If I know how he did it, I can find a way to stop it from happening):
echo trim(htmlentities($_POST["usertext"], ENT_QUOTES));
Now the hacker send some data and this was the result html (the source code – that means it showed a normal link in the browser):
<a target="_blank" href="mailto:nyjfvw@fbjgzy.com">nyjfvw@fbjgzy.com</a>
I thought that htmlentities() would always stop anyone from being able to enter html of any kind. If I enter a hyperlink such as:
<a href="aaa" />
I get:
<a href="aaa" />
But the hacker’s text was not encoded like that.
So my questions are:
- How did the hacker enter html tags so that the htmlentities() function did nothing to it?
- How would I replicate it for testing? (could be answered by above question)
I did some research and it might be possible that the hacker encoded his text in utf-7 or something?
I have already received a few emails with these same links. This hacker is obviously testing my website to see if he can do XSS or something.
Nice question! I think you can read this link that explain the problem and gives a solution.
The proposed solution is to specify to the browser (through a meta tag) which charset is used in the page.