HTML Textfield preventing HTML/CSS/PHP injection?

+2 Jonas Meise · August 13, 2015
Hey Guys.

I am currently programming on my website www.lupaw.ch and I stumbled about a potential security problem.
I've made a login system for my admin account so I can edit the text of the website right while using it. Now for editing and adding new posts I've made some textfields so I can add a new title text and date to the site. Theoretically no one else except me should be able to even use those edit buttons I've made, because they are only created while logged in.

It still bothers me though that if I edit the Textarea and write Html styling code in there it actually gets looked at as code so if I write for example:   <h1 style="font-family: Arial"> text <h1> it saves this on the mysql server and then on the website the displayed text actually is displayed with the font-family Arial. So is there a good way that it is not possible to write working code in a textarea or in other words is there a way so the textarea gets looked at as normal text without trying to find pieces of program code in there?
Like a way so it automatically puts a \ before everything that could be interpreted as code?

Thanks for taking time to answer me. :)

LuPaw

Post a Reply

Replies

Oldest  Newest  Rating
0 Tatrasiel R · August 14, 2015
here is one of the biggest problems in the web. They haven't fixed this yet.  htmlentities between javascript doesn't escape well.

with SQLI we can use PDOs with XSS it's really really hard.
  • 1

HTML / CSS / Web Design

103,516 followers
About

Discuss, share, ask, learn and teach HTML5 and CSS3.

Links
Moderators