Prevent HTML to be displayed from $_GET method
I'm currently working on a user management system.
I have the register and sign-in page among other sites, that all use the $_GET function. After experimenting around a bit I noticed that you can print HTML code from the GET parameters when you exactly know what you are doing. There is probably a way to exploit this by using the onerror in an img tag e.g.
How can I prevent this from happening?
The URL: users.php?s=login&mail=">%20<img%20src=%27../images/notification_bell.png%27%20width=%2725px%27>
What it displays:
And my code:
print ' <form action="' .$url. '" method="post">
<input type="hidden" name="a" value="login"/>
<b><label for="mail">E-Mail:</label></b>
<input type="email" id="mail" name="mail" maxlength="50" value="' .$mail. '" required><br><br>
How can I prevent this from happening?
use htmlspecialchars to convert user-defined characters into web-safe code. https://www.php.net/htmlspecialchars
also, maybe you could use filter_var to validate the email and simply unset it if it's invalid. https://www.php.net/filter_var
- How can I get a file's extension in PHP?
- Add a new class to img tag's class list
- Wrap <img> tag in a new tag and add alt attribute to the <img>
- Remove non-<img> tags from string
- Remove excess newlines/whitespace from multi-line <img> tag in HTML string
- Get whole img tag including its attribute declarations from a string
- Wordpress / Elementor How to pass data from one site to another
- Using WordPress post meta functions with array variables on WooCommerce orders
- Laravel casting JSON to array?
- Trying to match src part of HTML <img> tag Regular Expression
- smallest checksum on a string
- WordPress baseurl
- Get src value containing a specific keyword from all <img> tags
- Get src from square-braced shortcode text
- In Php what happens when an object fails to be instantiated?
- How can I get a href,Image src,title from given html using DomDocument
- extract image src value from special div in html file using php
- Use PHP composer to clone git repo
- Does php evaluate the second argument of an or statement if the first evaluates to false?
- PHP: Include/require file that was not properly escaped with <?php ?>
- PHP prefixing hex summation value with 1?
- Sort Array Keys To Specific Order
- Xdebug triggered by Code Sniffer in PHPStorm
- accept only english character in form validation in codeigniter
- How To Disable The WordPress Theme Editor
- PHP XLS Reader is writing extra columns
- laravel, how to set default value in Validator at post registeration
- Warning: mysqli_connect(): (HY000/1045): Access denied for user 'username'@'localhost' (using password: YES)
- Get one to many relationship in the pivot table of another many to many relationship in Laravel 11
- $_SERVER['HTTP_HOST'] not set