Home/ Questions/Q 3352880
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-18T02:05:01+00:00

Yes i am having an normal output from the database of a message, with

  • 0

Yes i am having an normal output from the database of a message, with this:

echo nl2br($show["status"]);

I am in a huge risk, as you can use html, e.g if you write <h1>HAHA</h1> it turns out in html. if i do <?php echo "HAHA"; ?> nothing gets output, so i think it runs the echo. How can i be most safe, and strip everything a user would try to do, html, php and so on..?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Entering <?php echo "HAHA"; ?> doesn’t appear to do anything. If your right-click to "view-source" of the page the source you will see it is just output as plain text which the browser hides.

    Also, you are setup for a CSFR attack by not escaping your output. Instead use htmlspecialchars and strip_tags.

    print nl2br(htmlspecialchars(strip_tags($show["status"]), ENT_QUOTES, 'utf-8'));

    Also, strip_tags isn’t enough on it’s own! as it doesn’t validate BAD HTML.

    • 0