Like we use htmlspecialchars
to avoid html tag as input.
Similarly, Is there any function or method that we can use to avoid javascript too.?
htmlspecialchars
does not take care of script tag.
any suggestions. ?
Like we use htmlspecialchars
to avoid html tag as input.
Similarly, Is there any function or method that we can use to avoid javascript too.?
htmlspecialchars
does not take care of script tag.
any suggestions. ?
Use filter_input and the FILTER_SANITIZE_FULL_SPECIAL_CHARS flag.
This will convert <
and >
to <
and >
, respectively.
$input = filter_input(INPUT_POST, 'fieldName', FILTER_SANITIZE_FULL_SPECIAL_CHARS);
So this:
<script>alert('hello');</script>
Becomes this:
<script>alert('hello');</script>
Take a look at the different sanitize filters. Instead of using fullspecialchars on everything, use the filter that applies to the input you're expecting... ex. if you're asking for a number, use a number filter.
It should take care of the script tags, as the <
and >
tags are translated.
<
(less than) becomes <
>
(greater than) becomes >
See the PHP documentation: http://php.net/manual/en/function.htmlspecialchars.php