0

I have written a simple contact form script and am trying to add XSS validation to it using the method described on W3School. Unfortunately it doesn't work as if I enter a "<" in one of the fields and then submit, it comes out as "<" when I receive it via email.

Can anyone suggest what I'm doing wrong?

Data collection section

$name = $co = $email = $tel = $message = "";

if ($_SERVER["REQUEST_METHOD"] == "POST"){
$name = test_input($_REQUEST['name']);
$co = test_input($_REQUEST['company']);
$email = test_input($_REQUEST['email']);
$tel = test_input($_REQUEST['tel']);
$message = test_input($_REQUEST['message']);
}

Data testing function

function test_input($data) {
  $data = trim($data);
  $data = stripslashes($data);
  $data = htmlspecialchars($data);
  return $data;
}

Many Thanks

Improve this question
1

1 Answer 1

Reset to default
0

Maybe your email client is configured to show the email as HTML. htmlspecialchars will convert < to &lt; Try to display your email as plain text.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Thanks for the suggestion. I set Outlook to read messages as plain text but the "<" symbol was still showing.
I don't see any problems in the code you provided. Maybe some reconverting happens before sending the email? You might be better off using $_POST instead of $_REQUEST.
Thanks, I tried both $_POST and $_REQUEST and it had the same outcome however I think you're right. I think what's happening (from the message I'm getting from Outlook) is that it's retrieving the message as HTML and then converting it to plain text which I imagine causes the "<" to be converted anyway.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.