How do i protect my website from xss?

[im_not_200iq]

So i have a website and a forum in that website

 

Code:

"

<?php

$name = $_POST["name"];
$text = $_POST["mes"];
$post = $_POST["post"];

if($post){

#WRITE DOWN COMMENTS#

 

$write = fopen("com.txt", "a+");
fwrite($write, "<u><b> $name</b></u><br>$text<br>");
fclose($write);

#DISPLAY COMMENTS#

$read = fopen("com.txt", "r+t");
echo "All comments:<br>";

while(!feof($read)){
echo fread($read, 1024);
}

fclose($read);

}

else{

#DISPLAY COMMENTS#

$read = fopen("com.txt", "r+t");
echo "All comments:<br>";

while(!feof($read)){
echo fread($read,1024);
}

fclose($read);

}

?>"

 

How can i protect against xss?

Im thinking of a filter that would remove certant letters and frazes

[im_not_200iq]

1 minute ago, James Evens said:

Edit it to keep the formatting and use the code tag.

i dont realy know php

[im_not_200iq]

Just now, James Evens said:

It is not PHP. It is how to use this forum. Just select HTML for the code.

 

i dont understand im not goot at coding

[mariushm]

Basically, you don't want to display on the page the text exactly how the user sent it to you.

For example, user may type for username <script>alert('boo!');</script>

 

And if you accept it like that, you're gonna write it in the file with this line:

 

fwrite($write, "<u><b> $name</b></u><br>$text<br>");

 

so in your file, you're gonna end up with this line :

 

<u><b> <script>alert('booo!');</script></b></u>whatever text<br>

 

Later, when you're gonna retrieve the data from the file, and print it on the screen, the browser will read this, find the <script> tag and whatever is found after the script tag is processed as Javascript so it can run in the browser.

 

You can avoid this by not sending the characters that have special meaning in html to alternatives the browser will treat as regulars. In HTML, the characters & , < and > and to a lesser degree ' and " have special meanings and should be escaped.

 

You do that with the function htmlspecialchars : https://www.php.net/manual/en/function.htmlspecialchars.php

 

So with your code, you would probably change it to

 

fwrite($write, "<u><b> " . htmlspecialchars($name)."</b></u><br>".htmlspecialchars($text)."<br>");

 

But honestly, it's a poorly designed system. You shouldn't store inside a text file the data (name and text) with the formatting, because let's say you may want to change the formatting at some point in the future... what will you do then, edit the file by hand to change the html code?

The file should only have the name and text entered by user... Then, you can store the actual text (without modifications) in the text file and only u the htmlspecialchars function when you actually display the stuff on screen.

 

 

 

 

 

 

[im_not_200iq]

13 minutes ago, mariushm said:

Basically, you don't want to display on the page the text exactly how the user sent it to you.

For example, user may type for username <script>alert('boo!');</script>

 

And if you accept it like that, you're gonna write it in the file with this line:

 

fwrite($write, "<u><b> $name</b></u><br>$text<br>");

 

so in your file, you're gonna end up with this line :

 

<u><b> <script>alert('booo!');</script></b></u>whatever text<br>

 

Later, when you're gonna retrieve the data from the file, and print it on the screen, the browser will read this, find the <script> tag and whatever is found after the script tag is processed as Javascript so it can run in the browser.

 

You can avoid this by not sending the characters that have special meaning in html to alternatives the browser will treat as regulars. In HTML, the characters & , < and > and to a lesser degree ' and " have special meanings and should be escaped.

 

You do that with the function htmlspecialchars : https://www.php.net/manual/en/function.htmlspecialchars.php

 

So with your code, you would probably change it to

 

fwrite($write, "<u><b> " . htmlspecialchars($name)."</b></u><br>".htmlspecialchars($text)."<br>");

 

But honestly, it's a poorly designed system. You shouldn't store inside a text file the data (name and text) with the formatting, because let's say you may want to change the formatting at some point in the future... what will you do then, edit the file by hand to change the html code?

The file should only have the name and text entered by user... Then, you can store the actual text (without modifications) in the text file and only u the htmlspecialchars function when you actually display the stuff on screen.

 

 

 

 

 

 

WOW THANK YOU SO MUCH!!!

 

Its sooo simple and it worked, the reason im not using a database n stuff is cuz im hoting this on my old phone. 

[mariushm]

1 hour ago, im_not_200iq said:

Here's a more clean and proper way to do it:

<?php

// this variable holds our name + comment pairs
$comments = array();

// start by reading the comments from the json file, you're gonna show them either way so no point doing it twice

// try to read the json encoded pairs from the file as a big chunk of text
$content = file_get_contents(__DIR__ .'/comments.json'); 
// if we managed that, parse the text and decode and put everything in our comments array
if ($content!='') { // there was at least one comment stored already
	$comments = json_decode($comments, TRUE);
}

// let's see if user posted a message
$form_submitted = isset($_REQUEST['POST']);
if ($form_submitted==true) {
	// he did, so get the name and text and add it to the comments we already read
    // and have in our comments array
	$name = $_REQUEST['name'];
    $text = $_REQUEST['text'];
    $search_for = ['noob','trash']; // different way of saying array()
    $replace_with= ['im','noob'];
    $text = str_ireplace($search_for,$replace_with,$text);
    // put the pair at the end of the array
    array_push($comments, [$name,$text]);
    // encode the modified array in the json format 
    $content = json_encode($comments,JSON_PRETTY_PRINT);
    // save the text to the file, overwriting it or creating new file with first comment
    file_put_contents(__DIR__ .'/comments.json',$content); // save encoded content to file
 }
 
 // now show comments on screen
 
echo "All comments:<br>";

// foreach loops through the comments array and puts each entry in the $comment variable
// $comment['name'] , $comment['text'] are the two things you have for each entry

foreach ($comments as $comment) {
	echo '<u><b>'. htmlspecialchars($comment['name']).'</b></u>'.
    	 '<br>'.htmlspecialchars($comment['name']).'<br>';
}
?>