SitePoint Sponsor

User Tag List

Results 1 to 10 of 10
  1. #1
    SitePoint Guru rashidr's Avatar
    Join Date
    Jun 2004
    Posts
    643
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    How to disable Html in TextBox/Textarea

    Some spammers are sending me links on daily basis through my website contact email form. I have also inserted ReCaptcha security check.

    I don't want to block IPs so I have decided to disable html in input fields of my contact form but I have no Idea how to do this.

    Can anyone help me in writing this code or give me some helpful links. I have search google but I have not found any good results.

  2. #2
    It's all Geek to me silver trophybronze trophy
    ralph.m's Avatar
    Join Date
    Mar 2009
    Location
    Melbourne, AU
    Posts
    24,200
    Mentioned
    456 Post(s)
    Tagged
    8 Thread(s)
    You could set up a bunch of regular expression that checked for link code and abort the form. E.g. a whole string of things like

    PHP Code:
    strstr($msg"http"
    Do you know how to use preg_match?

  3. #3
    SitePoint Wizard silver trophybronze trophy Cups's Avatar
    Join Date
    Oct 2006
    Location
    France, deep rural.
    Posts
    6,869
    Mentioned
    17 Post(s)
    Tagged
    1 Thread(s)
    One way is to make it clear on your interface that you do not accept html tags, and be explicit about what you do allow in.

    Then, filter out anything which does not match what you expect.

    As an extreme filter out anything not a space, letter or number:

    PHP Code:
    // rm all but Numbers, letters space and dash
    $input '0123?> Abc -_#';
    $output preg_replace('#[^0-9a-z- ]#'''strtolower($input));
    echo 
    $output;
    // 0123 abc - 
    Or look at using PHPs PHP: Filter - Manual

    Despite Filtering still go on and escape the input based on where it is going next, maybe your database?

    mysql_real_escape_string

    Or use PDO or mysqli's prepared statements (preferably)

    Finally escape the data when you get it out of your database for the next environment it is going to go to, e.g. a webpage.

    htmlentities and that family of escape mechanisms.

    Filter Input, Escape Output (FIEO) - sleep a'nights.

  4. #4
    SitePoint Guru rashidr's Avatar
    Join Date
    Jun 2004
    Posts
    643
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks... This is helpful

  5. #5
    SitePoint Guru
    Join Date
    Jan 2007
    Posts
    967
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    striptags removes html.

    if(striptags($msg)!=$msg){
    //message contains html
    }
    Last edited by eruna; May 17, 2011 at 11:02. Reason: submitted by accident

  6. #6
    SitePoint Wizard silver trophybronze trophy Cups's Avatar
    Join Date
    Oct 2006
    Location
    France, deep rural.
    Posts
    6,869
    Mentioned
    17 Post(s)
    Tagged
    1 Thread(s)
    It wont deal with this kind of stuff though.

    HTML_purifier used to be all the rage a while ago, everytime someone mentioned filtering tags - anyone know if it is as potent and well thought of as it used to be?

  7. #7
    SitePoint Guru
    Join Date
    Jan 2007
    Posts
    967
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    That's interesting. What's the best way to block this type of attack?

    It seems especially problematic in public spaces where you need to enable users to insert html code. I don't fully understand how this works, but it looks like the attack can be fully disguised. Blocking special characters would work, but there are many times when special characters can't be blocked.

    Is it possible to run the message through decoding operations, checking for malicious code between each conversion.

    E

  8. #8
    SitePoint Wizard silver trophybronze trophy Cups's Avatar
    Join Date
    Oct 2006
    Location
    France, deep rural.
    Posts
    6,869
    Mentioned
    17 Post(s)
    Tagged
    1 Thread(s)
    @rashidr reading the title and question you originally posed again, I would take the view that if you stipulate 'no html' clearly enough on your interface - then you are justified in aborting the operation if you find just one single opening or closing tag.

    That's very easy to do. For real humans who make a mistake, and you would like to be kind to them you can also detect the inclusion of a < or > and pop up an alert in JS to warn them.

    The bots will not of course run into this JS alert problem, hence your fallback position in all cases must remain:

    //pseudo code
    if( exists a > < or &lt; or &gt; ) die();

    Then just escape the data properly as you store it.

  9. #9
    SitePoint Wizard silver trophybronze trophy Cups's Avatar
    Join Date
    Oct 2006
    Location
    France, deep rural.
    Posts
    6,869
    Mentioned
    17 Post(s)
    Tagged
    1 Thread(s)
    It seems especially problematic in public spaces where you need to enable users to insert html code. I don't fully understand how this works, but it looks like the attack can be fully disguised. Blocking special characters would work, but there are many times when special characters can't be blocked.
    That was the particular task HTML_Purifier was designed for, although as I said, I am unsure about what has happened to it, or indeed if any of the PHP5 Filter classes now deals with this issue.

    Many of attack vectors use attributes within the tags (ie <b id="attack in here">), not the tags themselves and as such this is a difficult thing to pull off on your own.

  10. #10
    SitePoint Guru
    Join Date
    Jan 2007
    Posts
    967
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Cups thank you! I just looked up HTML purifier and its awesome. I'm definitely going to use this.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •