14

I have a form with a text box that posts data to a php file that uses the function "htmlentities" to make it safe to email to the website owner.

The problem is that someone managed to get a hyperlink in the text and htmlentities() does not remove it.

This is my textbox html:

<input name="usertext" type="text" />

This is my PHP code that receives the post data (I left the email code out because that's not the problem. I changed it to just echo the received data so I could try to replicate what the hacker did. If I know how he did it, I can find a way to stop it from happening):

echo trim(htmlentities($_POST["usertext"], ENT_QUOTES));

Now the hacker send some data and this was the result html (the source code - that means it showed a normal link in the browser):

<a target="_blank" href="mailto:[email protected]">[email protected]</a>

I thought that htmlentities() would always stop anyone from being able to enter html of any kind. If I enter a hyperlink such as:

<a href="aaa" />

I get:

&lt;a href="aaa" /&gt;

But the hacker's text was not encoded like that.

So my questions are:

  1. How did the hacker enter html tags so that the htmlentities() function did nothing to it?
  2. How would I replicate it for testing? (could be answered by above question)

I did some research and it might be possible that the hacker encoded his text in utf-7 or something?

I have already received a few emails with these same links. This hacker is obviously testing my website to see if he can do XSS or something.

Improve this question
4
  • Log the raw request with the content of the $_POST["usertext"] field when submitted. You can also add an encoding to htmlentities that should match the encoding of the content. Commented Jan 10, 2013 at 14:57
  • Did you check for included JavaScript somewhere, maybe it's created dynamically? Commented Jan 10, 2013 at 15:16
  • Are you properly encoding your html content before sending? Commented Jan 10, 2013 at 15:20
  • 3
    The problem with worrying about the way the form sends the data I think is irrelevant because a hacker could just use a program to post the data (libcurl for example). So I only want figure out why the php code does not work. Commented Jan 10, 2013 at 15:27

4 Answers 4

Reset to default
7

Nice question! I think you can read this link that explain the problem and gives a solution.

The proposed solution is to specify to the browser (through a meta tag) which charset is used in the page.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thanks. That link is very interesting and it seems like the hacker could have used utf-7. The only problem is that when I copy utf-7 examples to my text box and submit it, the browser just shows the exact characters and does not convert them to html tags. Anyway, it seems to be the only way the hacker would probably do it. I'll specify utf-8 where I can eg.(php code) header('Content-Type: text/html; charset=utf-8'); That might work. Since I can't replicate what the hacker did, I'll never know if it works until he tries again :)
1

I think strip_tags exactly match your needs : http://php.net/manual/en/function.strip-tags.php

Improve this answer

Comments

0

This isn't the most elegant solution, but without seeing the rest of your code, you could check to see if the usertext field contains the string "href" and deny it.

Improve this answer

1 Comment

That is one way and i will do that if no one can figure out how the hacker got past the htmlentities function
0

Would htmlspecialchars() do the trick? This article on W3Schools appears to suggest that.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.