Home/ Questions/Q 135527
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-11T06:48:16+00:00

I run a website (sorta like a social network) that I wrote myself. I

  • 0

I run a website (sorta like a social network) that I wrote myself. I allow the members to send comments to each other. In the comment; i take the comment and then call this line before saving it in db..

$com = htmlentities($com);

When I want to display it; I call this piece of code..

$com = html_entity_decode($com);

This works out well most of the time. It allows the users to copy/paste youtube/imeem embed code and send each other videos and songs. It also allows them to upload images to photobucket and copy/paste the embed code to send picture comments.

The problem I have is that some people are basically putting in javascript code there as well that tends to do nasty stuff such as open up alert boxes, change location of webpage and things like that.. I am trying to find a good solution to solving this problem once and for all.. How do other sites allow this kind of functionality?

Thanks for your feedback

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. First: htmlentities or just htmlspecialchars should be used for escaping strings that you embed into HTML. You shouldn’t use it for escaping string when you insert them into a SQL query – Use mysql_real_escape_string (For MySql) or better yet – use prepared statements, which have bound parameters. Make sure that magic_quotes are turned off or disabled otherwise, when you manually escape strings.

    Second: You don’t unescape strings when you pull them out again. Eg. there is no mysql_real_unescape_string. And you shouldn’t use stripslashes either – If you find that you need, then you probably have magic_quotes turned on – turn them off instead, and fix the data in the database before proceeding.

    Third: What you’re doing with html_entity_decode completely nullifies the intended use of htmlentities. Right now, you have absolutely no protection against a malicious user injecting code into your site (You’re vulnerable to cross site scripting aka. XSS). Strings that you embed into a HTML context, should be escaped with htmlspecialchars (or htmlentities). If you absolutely have to embed HTML into your page, you have to run it through a cleaning-solution first. strip_tags does this – in theory – but in practise it’s very inadequate. The best solution I currently know of, is HtmlPurifier. However, whatever you do, it is always a risk to let random user embed code into your site. If at all possible, try to design your application such that it isn’t needed.

    • 0