RE: Re: XSS Preventing.

"Caner BULUT" <canerblt@xxxxxxxxx> · Tue, 23 Jun 2009 00:28:31 +0300

Shawm thanks,

İf you using htmlentities awere that he change the charset to ISO-8859-1. So
this is the a problem. For solving this there were some parameters.

Htmlentities($str, ENT_QUOTES, 'UTF-8') 

But there is no Turkish Charset inside supportad Charset. You can see the
detail info from 
http://tr.php.net/htmlentities

After using htmlentities I am getting following

Par&amp;ccedil;an&yacute;n
&amp;ccedil;&yacute;kar&yacute;ld&yacute;&eth;&yacute; /
tak&yacute;laca&eth;&yacute; ara&amp;ccedil; modeli
Par&amp;ccedil;an&yacute;n
&amp;ccedil;&yacute;kar&yacute;ld&yacute;&eth;&yacute; /
tak&yacute;laca&eth;&yacute; ara&amp;ccedil; modeli
Par&amp;ccedil;an&yacute;n
&amp;ccedil;&yacute;kar&yacute;ld&yacute;&eth;&yacute; /
tak&yacute;laca&eth;&yacute; ara&amp;ccedil; modeli
Par&amp;ccedil;an&yacute;n 

After using htmlspecialchars I am getting following

Par&amp;ccedil;an&yacute;n
&amp;ccedil;&yacute;kar&yacute;ld&yacute;&eth;&yacute; /
tak&yacute;laca&eth;&yacute; ara&amp;ccedil; modeli
Par&amp;ccedil;an&yacute;n
&amp;ccedil;&yacute;kar&yacute;ld&yacute;&eth;&yacute; /
tak&yacute;laca&eth;&yacute; ara&amp;ccedil; modeli
Par&amp;ccedil;an&yacute;n
&amp;ccedil;&yacute;kar&yacute;ld&yacute;&eth;&yacute; /
tak&yacute;laca&eth;&yacute; ara&amp;ccedil; modeli
Par&amp;ccedil;an&yacute;n
&amp;ccedil;&yacute;kar&yacute;ld&yacute;&eth;&yacute; /
tak&yacute;laca&eth;&yacute; ara&amp;ccedil; modeli

I hope I can explain the problem. Thanks

-----Original Message-----
From: Shawn McKenzie [mailto:nospam@xxxxxxxxxxxxx] 
Sent: 23 June 2009 00:01
To: php-general@xxxxxxxxxxxxx
Subject: Re:  Re: XSS Preventing.

Caner BULUT wrote:
> Thanks for response. 
> 
> But if I use before display there is charset problems occurs. And
> htmlentities does not support Turkish Charset. How can I decode data after
> pass thought htmlentities.

I have no idea, I was just saying that if you use it, use it for display
and not for storage.  If you only use it for display, then you don't
need to decode it.  Also, what do you mean it doesn't support the
Turkish charset?  Does it mangle some of the chars?  You are using it so
that you don't get markup <script ....> etc. in your output, so does it
do something bad with the Turkish chars?.  Maybe try htmlspecialchars()
as it only converts a few specific chars.

> 
> Thanks.
> 
> -----Original Message-----
> From: Shawn McKenzie [mailto:nospam@xxxxxxxxxxxxx] 
> Sent: 22 June 2009 23:27
> To: php-general@xxxxxxxxxxxxx
> Subject:  Re: XSS Preventing.
> 
> Caner BULUT wrote:
>> Hi Guys,
>>
>>  
>>
>> I have a question if you have any knowledge about this please let me
know.
>>
>>  
>>
>> I getting data from a form with POST method like following.
>>
>>  
>>
>> $x = htmlentities($_POST['y']);
>>
>> .
>>
>>  
>>
>> After getting all form daha I save them into DB, I used
>> mysql_real_escape_string. 
>>
>>  
>>
>> I have an page which show the information that I have save into DB. But
If
> I
>> don't use html_entity_decode, there will encodding and charset problems.
I
>> can't set htmlentities charset parameters because this function does not
>> have Turkish Charset support.
>>
>>  
>>
>> The question is that, after saving data into DB with using htmlentities,
> in
>> the information page if I use html_entity_decode function still there is
> an
>> XSS risk or not? . html_entity_decode function get back all risk again?
>>
>>  
>>
>> Please help.
>>
>>  
>>
>> Thanks.
>>
>> Caner.
>>
>>
> 
> Don't htmlentiies() before DB save.  In general:
> 
> - mysql_real_escape_string() before DB insertion
> 
> - htmlentities() before dispaly
> 

-- 
Thanks!
-Shawn
http://www.spidean.com

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php