Exercises from the book Script 13.4
Output
Source
<?php # Script 13.4 - xss.php
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
// Apply the different functions, printing the results:
echo "<div class='message'><h2>Results</h2><dl>";
echo "<dt><b>Original - Unfiltered</b></dt><dd>{$_POST['data']}<dd><br />";
echo '<dt><b>htmlspecialchars() </b></dt><dd>' . htmlspecialchars($_POST['data'], ENT_QUOTES,'utf-8'). '</dd><br/>';
echo '<dt><b>htmlentities() </b></dt><dd>' . htmlentities($_POST['data'], ENT_QUOTES,'utf-8'). '</dd><br/>';
echo '<dt><b>strip_tags() </b></dt><dd>' . strip_tags($_POST['data']). '</dd>';
echo '</dl></div>';
}
// Display the form:
?>
<form action="<?php echo htmlentities( $_SERVER['PHP_SELF'].'?'.$_SERVER['QUERY_STRING'] ); ?>" method="post">
<p>
<label for="d">Enter some text</label>
<textarea id="d" name="data" rows="3" cols="40"></textarea>
</p>
<p>
Suggested text to copy and paste:<br />
<?php
echo '<pre>';
echo htmlspecialchars("<b>be nice</b><br /><script>alert('hello');</script> d");
echo htmlentities('ü');
echo "ring t";
echo htmlentities('è');
echo htmlspecialchars("sting.<br />");
echo htmlentities('♉');
echo '</pre>';
?>
</p>
<p>
<input type="submit" name="submit" value="Submit" />
</p>
</form>