SitePoint Sponsor

User Tag List

Results 1 to 8 of 8
  1. #1
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,764
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)

    Problem with Apostrophe

    When a user uploads a photo for their profile, I allow them to add an optional Photo Label like this...

    Sam's Spiral GIF

    To prevent against XSS attacks, I wrapped the Photo Label with htmlentities like this...

    PHP Code:
            title='" . htmlentities($photoLabel) . "' /> 

    The problem is that when I hover over the user's photo, I see this...

    Sam & #039 ; s Spiral GIF
    (I added spaces above because it keeps getting converted by SitePoint?!)


    How can I use htmlentities() and get my output to look proper?

    Thanks,


    Debbie

  2. #2
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    5,129
    Mentioned
    152 Post(s)
    Tagged
    0 Thread(s)
    Might want to use addslashes instead

  3. #3
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,764
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by cpradio View Post
    Might want to use addslashes instead
    But I believe addslashes() is intended for escaping data before it goes into a database.

    I need to safely handle data during output to the screen...


    Debbie

  4. #4
    dooby dooby doo silver trophybronze trophy
    spikeZ's Avatar
    Join Date
    Aug 2004
    Location
    Manchester UK
    Posts
    13,806
    Mentioned
    158 Post(s)
    Tagged
    3 Thread(s)
    addslashes() on the way in
    stripslashes() on the way out.
    Mike Swiffin - Community Team Advisor
    Only a woman can read between the lines of a one word answer.....

  5. #5
    SitePoint Wizard bronze trophy Jeff Mott's Avatar
    Join Date
    Jul 2009
    Posts
    1,268
    Mentioned
    18 Post(s)
    Tagged
    0 Thread(s)
    addslashes is related to SQL injection, so it doesn't apply here.

    @Debbie I suspect that somewhere along the way, you've double-escaped the photo label. Check where the value of photoLabel comes from and everything is passes through, and make sure it hasn't already been run through htmlentities.
    "First make it work. Then make it better."

  6. #6
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,764
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Jeff Mott View Post
    addslashes is related to SQL injection, so it doesn't apply here.

    @Debbie I suspect that somewhere along the way, you've double-escaped the photo label. Check where the value of photoLabel comes from and everything is passes through, and make sure it hasn't already been run through htmlentities.
    You would be correct.

    Turns out I had htmlentities in a function above and then again in my HTML.

    Thanks!


    Debbie

  7. #7
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    5,129
    Mentioned
    152 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Jeff Mott View Post
    addslashes is related to SQL injection, so it doesn't apply here.

    @Debbie I suspect that somewhere along the way, you've double-escaped the photo label. Check where the value of photoLabel comes from and everything is passes through, and make sure it hasn't already been run through htmlentities.
    It is true that addslashes is primarily for SQL Injections, but look at the code provided again.
    PHP Code:
    title='" . htmlentities($photoLabel) . "' /> 
    Notice she has single quotes for the title attribute, so her output (without htmlentities) would have been title='Sam's Sprial GIF'. So my point is, addslashes would have worked here too but it wouldn't take care of XSS attacks like htmlentities would.

  8. #8
    SitePoint Wizard bronze trophy Jeff Mott's Avatar
    Join Date
    Jul 2009
    Posts
    1,268
    Mentioned
    18 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by cpradio View Post
    Notice she has single quotes for the title attribute, so her output (without htmlentities) would have been title='Sam's Sprial GIF'. So my point is, addslashes would have worked here too but it wouldn't take care of XSS attacks like htmlentities would.
    Too many programming languages on the brain. It can be easy to mix them up. In languages such as PHP and JavaScript, a backslash escapes special characters. But in HTML, the backslash has no special meaning at all.
    "First make it work. Then make it better."


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •