PHPBuilder - Displaying Formatted User Input

RSS Twitter

Displaying Formatted User Input

by: Ying Zhang
July 30, 2000

This document describes how to display safely formatted output from user input. We will discuss the dangers of displaying unfiltered output and then provide a safe means of displaying formatted output. Download the attachment and extract it into your web documents directory.

Dangers of Unfiltered Output

If you just took the user's input and displayed it as is, you may break your webpage. For example, someone can maliciously embed javascript in their comment like:
This is my comment. 
<script language="javascript: 
alert('Do something bad here!')">.
Even if the user had no bad intentions, they may accidentally put some HTML that breaks your site layout. For example if you displayed the user's input in a table and they included an improperly nested </table> tag, your page appears broken.

Displaying Plain Text Only

The easiest solution would be to only display plain text in the comment. Using the htmlspecialchars() function, you convert all the special characters into HTML entites. For example <b> would become &lt;b&gt;, turning it into text instead of an HTML tag. This guarantees that there are no HTML markups in the comment that would produce unwanted output.
This is an okay solution if your guests don't mind entering in only plain text, but it would be a lot better if you gave them some formatting abilities.

Next Page »


Comment and Contribute

Your comment has been submitted and is pending approval.

Ying Zhang



(Maximum characters: 1200). You have characters left.