Handling HTML Sent by the User

Here’s another validation consideration: what if users include HTML in the data they’re sending you, and you don’t want them to do so? Such HTML can be malicious, as when it includes JavaScript to redirect the browser to other pages.

There are ways of stripping out unwanted HTML. For example, say that you ask the user for their comments on your Web page, and you want to display those comments-but not any HTML? You could do that in a new page, handlehtml.php. Everything is as you’d expect in this page, except when it is time to display the user’s comments: at that point you can use the PHP strip_tags function to strip any HTML out, as shown here:

 <html>   <head>     <title>Handling HTML</title>   </head>   <body>     <center>       <h1>Handling HTML</h1>       <?         $errors = array();         if(isset($_REQUEST["already_shown"])){           validate_data();           if(count($errors) != 0){             show_errors();             display_welcome();           }           else {             handle_data();           }         }         else {           display_welcome();         }         function validate_data()         {           global $errors;           if($_REQUEST["comments"] == "") {             $errors[] = "<font color='red'>Please enter your " .               "comments</font>";           }         }         function show_errors()         {           global $errors;           foreach ($errors as $err){             echo $err, "<br>";           }         }         function handle_data()         {           echo "Your comments were ";           $text = strip_tags($_REQUEST["comments"]);           echo $text;         }         function display_welcome()         {           echo "<form method='post' action='handlehtml.php'>";           echo "Enter your comments<br>";           echo "<input name='comments' type='text'>";           echo "<br><br>";           echo "<input type='submit' value='Submit'>";           echo "<input type='hidden' name='already_shown'             value='hidden_data'>";           echo "</form>";         }       ?>      </center>    </body> </html>

Now users can enter HTML in their comments, as shown in Figure 14.18.

image from book
Figure 14.18: The handlehtml.php page accepts HTML.

And that HTML is stripped out in the final result, as shown in Figure 14.19.

image from book
Figure 14.19: The HTML has been stripped out.

In fact, there’s another way of handling HTML text: you can use the htmlentities function, which renders HTML harmless. This function “escapes” HTML by converting sensitive characters such as < into <, > into >, and so on, which means that browsers will display characters such as < as <, not as the beginning of a tag.

Presently, the handle_data function looks like this:

 function handle_data() {   echo "Your comments were ";   $text = strip_tags($_REQUEST["comments"]);   echo $text; }

You can use the htmlentities function in place of strip_tags like this:

 function handle_data() {   echo "Your comments were ";   $text = htmlentities($_REQUEST["comments"]);   echo $text; }

Now when the user enters HTML, that HTML will be escaped and displayed out in the final result, as shown in Figure 14.20.

image from book
Figure 14.20: The HTML has been escaped.