First i download htmlpurifier-4.8.0. Then uploaded it to my hosting, this is the code without htmlpurifier:
<?PHP
if(isset($_POST["submit"]))
{
include("connect.php");
$dirty_html = mysqli_real_escape_string($db_mysqli,$_POST['xx']);
echo $dirty_html;
}
?>
<form method="post" action="" ENCTYPE = "multipart/form-data">
<input name="xx" type="text">
<input type="submit" name="submit" value="OK">
</form>
In the input name="xx" I fill in data <script>alert("test");</script>777, and gotten echo 777.
And here's the code with htmlpurifier usage:
<?PHP
if(isset($_POST["submit"]))
{
include("connect.php");
require_once 'htmlpurifier-4.8.0/library/HTMLPurifier.auto.php';
$purifier = new HTMLPurifier();
$dirty_html = mysqli_real_escape_string($db_mysqli,$_POST['xx']);
$clean_html = $purifier->purify($dirty_html);
echo $clean_html;
}
?>
<form method="post" action="" ENCTYPE = "multipart/form-data">
<input name="xx" type="text">
<input type="submit" name="submit" value="OK">
</form>
I repeat the same test with the input. Can someone explain the difference, why without htmlpurifier and with htmlpurifier I'm getting the same results?
$dirty_html = mysqli_real_escape_string($db_mysqli,$_POST['xx']);
// $dirty_html has 777 value now
$clean_html = $purifier->purify($dirty_html);
// $clean_html has 777 value because there is nothing to
purify in 777 which is a valid value
mysqli_real_escape_string already converts the input to 777.