How to display htmlspecialchars on the html?

Question

I've read here:
https://stackoverflow.com/a/8932454/4301970
that htmlspecialchars() is very effective preventing xss attacks.

I'm receiving formated text from a wysiwyg editor, for example:

<p>
    <em>
        <strong><span style="font-size:36pt;">test</span></strong>
    </em>
</p>

Encoding this on my html:

<!DOCTYPE html>
<html lang=en>
<head>
    <title></title>
</head>
<body>
<?php echo htmlspecialchars('<p><em><strong><span style="font-size:36pt;">test</span></strong></em></p>', ENT_QUOTES); ?>
</body>
</html>

Will output on browser:

<p><em><strong><span style="font-size:36pt;">test</span></strong></em></p>

How can I display the formatted text correctly, while preventing XSS injections?

You can use \n after your element for new line and \t for Tab. — Mohammadreza Yektamaram, Jun 03 '16 at 13:42
`nl2br(str_replace(" ", "$nbsp;" htmlspecialchars($data)));`. Something like this? — Ramon Bakker, Jun 03 '16 at 13:45
The `htmlspecialchar` converts special characters that would create elements to their entities so they aren't rendered. You want some elements rendered it seems so you will need a different approach. — chris85, Jun 03 '16 at 13:46
Convert the elements you want to allow, to a different symbol, then run htmlspecial chars, then de-convert your allowed elements. — chris85, Jun 03 '16 at 13:54
chris85.. wanna add a response explaining htmlspecialchars can't be shown properly, following with your suggestion so that I can chose your answer? It fully answers my question. — random425, Jun 03 '16 at 15:45

score 2 · Accepted Answer · answered Jun 03 '16 at 19:27

The htmlspecialchars encodes all characters that have (or could) special meanings in XML, specifically <, >, &, ", and ' (if ENT_QUOTES is set).

So with this setting any malicious code attempts would not be rendered by the browser.

For example

<script>alert('bam');</script>

would be

&lt;script&gt;alert('bam');&lt;/script&gt;
//or with quotes constant
&lt;script&gt;alert(&#039;bam&#039;);&lt;/script&gt;

which JS won't process. So that can be an affective means of stopping XSS injections. However you want users to submit some HTML so you will need to make a kind of whitelist of approved elements. You can do that by replacing the <> with custom text that won't occur in your users inputs. In my below example I've chosen custom_random_hack. Then run everything through the htmlspecialchars which will encode all special characters. Then convert your swapped elements back to their HTML elements.

$string = '<p>
    <em>
        <strong><span style="font-size:36pt;">test</span></strong>
    </em>
</p>';
$allowedtags = array('p', 'em', 'strong');
echo '~<(/?(?:' . implode('|', $allowedtags) . '))>~';
$string = preg_replace('~<(/?(?:' . implode('|', $allowedtags) . '))>~', '#custom_random_hack$1custom_random_hack#', $string);
echo str_replace(array('#custom_random_hack', 'custom_random_hack#'), array('<', '>'), htmlspecialchars($string, ENT_QUOTES));

Demo: https://eval.in/582759

score 1 · Answer 2 · edited May 23 '17 at 12:31

1

To prevent xss injections and show correctly, once that strip_tag() isn't fully safe, you should take a look in HTML PURIFIER

I hope this helps!

edited May 23 '17 at 12:31

Community

1
1

answered Jun 03 '16 at 14:03

Allan Andrade

670
10
26

score 0 · Answer 3 · answered Jun 03 '16 at 13:52

0

If you want to preserve the indentation:

Wrap your output in a <pre> tag. This tags preserve whitespace charaters

If you want the input to be rendered as HTML:

don't use htmlspecialchars. And yes, this opens up your app to XSS again.

answered Jun 03 '16 at 13:52

AUsr19532

228
1
11

If he want's to render HTML **and** be safe from XSS he'd have to sanitize the input and render the sanitized input as HTML. For example using some pseudo code syntax in the editor such as buelltinboard software does. – AUsr19532 Jun 03 '16 at 13:58

How to display htmlspecialchars on the html?

3 Answers3