Question
I have some questions about how to avoid Xss injection and remove tags:
I'm using sommernote and I want to allow some tags like <br>, <p>, <strong>, etc.. I could use the function strip_tags() but if someone writes the symbol greater (>) or less (<), for instance:
(4 > 5).
This is removed and I want to keep it.
Besides, I need to know the correct length of the text that was entered because I don't want to allow more than N characters, let's say no more than 300 characters. In order to get this I would use strip_tags() but the string is truncated as I mentioned before. How can i do this?
Obviously, I want to avoid XSS injection so I would use htmlentities(strip_tags(string), ENT_QUOTES) to save in DB and when I want to show the content in the main page i would use html_entity_decode(string), is that enough to avoid it?
Thanks in advance
Solution
Don't use strip_tags! If a user tries to enter something like The bob said <the-secret>, it will be stripped! htmlentities is unnecessary. You want htmlspecialchars:
https://stackoverflow.com/questions/23146575
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian$input = "<script>alert('ur screwed')</script>";
echo htmlspecialchars($input);
Returns <script>alert('ur screwed')</script>. Decode with htmlspecialchars_decode.
