Home/ Questions/Q 8063325
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-05T10:59:37+00:00

I may be thinking too much on this, but let’s say I have a

  • 0

I may be thinking too much on this, but let’s say I have a Website field on database. I’ve used strip_tags to strip all HTML tags. But if the user inputs this

javascript:alert(‘test’)

It will get passed since it’s a string. But then, the HTML will generate

<a href="<?php echo prep_url($website);?>">Website</a> //the code in view file
<a href="javascript:alert('test')">Website</a> //bad

and the Javascript will execute if clicked. Notice too the prep_url doesn’t work.

Any suggestion? I’ve looked at HTMLPurifier, but it is quite big on size and I don’t really want to do some major change.

Thanks

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You shouldn’t use strip_tags if you expect a url, you should validate the URL and probably urlencode it. Here’s one way with filter_var:

    $url = "javascript:alert('test')";
var_dump(filter_var($url, FILTER_VALIDATE_URL));
// bool(false)

$url = "http://stackoverflow.com/questions/10918132";
var_dump(filter_var($url, FILTER_VALIDATE_URL));
// string(43) "http://stackoverflow.com/questions/10918132"

    So if filter_var($user_input, FILTER_VALIDATE_URL) is FALSE, don’t accept the user input. This should negate the need for CI’s xss_clean() although you may want to run it anyways when you put it in the HTML attribute. You may need to run prep_url on the input before validating if you don’t require the user to enter the http:// part.

    There are many ways to validate a URL, just pick one you like.

    • 0