Hi guys, I asked a friend to try and hack my site to see how safe it is. He hasn't been able to get to the database or do any serious damage but he has used JS Injection to block my strip_tags(); function.
I would like to know how to stop that. He somehow got through and used the marquee tag. The thing is I only see one marquee tag but he somehow got it to work.
Jump to PostDo you have the site url?
Also, are you allowing any tags to work using strip_tags?
Jump to PostSimply remove all < and > characters, htmlspecialchars should do this though:
str_replace(array("<", ">"), array("<", ">"), $string)
Do you have the site url?
Also, are you allowing any tags to work using strip_tags?
After you have stripped try htmlspecialchars(); on the string too.
I am not allowing any tags with strip_tags, and I will try the htmlspecialchars also.
And... can preg_replace help? Replace any "</>" tags? If so can someone show a quick usage as I am not familiar with it.
Simply remove all < and > characters, htmlspecialchars should do this though:
str_replace(array("<", ">"), array("<", ">"), $string)Alright thanks a lot I will give that a go.
Yes, htmlspecialchars should do the job. Also you should not allow some other characters either, like * ' " etc... I'm not sure if the specialchars replaces those. But it should remove all kind of coding.
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.