I’m working on an app that will regularly accept code input from a textarea and display it on another page. Whats the best way to filter it to prevent it from executing in my scripts? Using pre tags and htmlspecialchars?
that should be ok.
though I would use htmlentities() with ENT_QUOTES instead of htmlspecialchars().
Good idea, thanks! Would typecasting the form input as a string do anything to help as well?
probably not as the data type for input to a <textarea> is a string anyway.
but I’ve never added a <textarea> in a form where the expected input is actual code.
Here’s a useful resource that I came across recently that helps to deal with embedded tags too.
How to: Sanitize Database Inputs
I use and prefer htmlspecialchars() for quick-n-dirty display of such things where no HTML is supposed to be getting through. If you are storing this data in the database, don’t use htmlspecialchars() at that time. Instead, assume everything coming out of the database is attempting to execute something and use htmlspecialchars() at the time of display.
If you want to allow any HTML through, then you need serious HTML filtering. I recommend HTML Purifier:
You should be forewarned that it is a serious resource hog but it does a fantastic job of filtering bad content. So I’d run it prior to storing data in a database and then assume that the stored data is okay to display from there without filtering it again because of the performance issues around HTML Purifier.