I have created a page to create articles http://8mags.com/bored/people/ When I posted an article with script tags and other HTML tags it came out with scripts tag here is the link to generated article http://8mags.com/bored/people/stories/59b4f0c3a94d5f2637b376be6e554480.php Is this a security threat? How can I prevent it? Here is the code that I am using
if (!empty($_REQUEST['content'])&&!empty($_REQUEST['title'])&&!empty($_REQUEST['writer'])) {
$title = $_POST['title'];
$content = $_POST['content'];
$writer = $_POST['writer'];
require_once 'htmlpurifier/library/HTMLPurifier.auto.php';
$purifier = new HTMLPurifier();
$pure_content = $purifier->purify($content);
$entity_content = htmlentities($pure_content);
$entity_content = $mysqli->real_escape_string($entity_content);
$slashedtitle = addslashes($_POST['title']);
$slashedcontent = addslashes($_POST['content']);
$slashedwriter = addslashes($_POST['writer']);
$mysqli->query("INSERT INTO stories (TITLE, WRITER, CONTENT, UPVOTE, DOWNVOTE) VALUES ('$slashedtitle', '$slashedwriter', '$slashedcontent', 0, 0)");
There is no security threat as far as I can see. By using HTMLPurifier all malicious code should be removed.
What happend here I suspect is that the tinyMCE editor converted your written code into HTML entities before the form was submitted., e.g. <script> was converted to <script>. Therefore the code doesn't get executed in the browser and can't be malicous.
If you want to test what happens to malicous code do it right and use a tool like Firebug to inject the code into the editor, so it can't get escaped.