Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I need your help with a really simple issue. Article Contents of some pages on my website are stored in MySQL database, and I’ve applied htmlspecialchars() to it when outputting to the browser, but actually there are legitimate <img src="images/me.jpg"> , which are rendered as plain text, meanwhile they are supposed to be valid images part of the article content.
How can I successfully display the image and at the same time avoid a possible XSS attack and the likes.
Thanks
Parse the HTML according to the HTML standard and discard any elements/attributes/attribute values you don’t want to keep. Check the
srcvalue of everyimgelement to see if it’s a valid URL, and if it is, check to see if it actually exists and is a valid image. If not, discard the element.If you use a proprietary formatting language (e.g. BBCode or Markdown), you should still perform the checks against the value provided for each
imgelement (many of the libraries that parse BBCode, Markdown, etc will perform these checks for you).