Scribd
Upload
26 views

Dangerous Raw HTML Code:: When Would You Use Htmlentities?

The document discusses dangerous raw HTML code that could be used by malicious users to redirect visitors to unwanted websites. It explains that using htmlentities on user-submitted content would prevent this by removing the ability for users to insert active HTML code, while still allowing their content to be displayed. The key recommendation is to use htmlentities anytime users can submit content that other visitors will see, in order to prevent common attacks on the website.

Uploaded by

Anil Kumar
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
26 views

Dangerous Raw HTML Code:: When Would You Use Htmlentities?

The document discusses dangerous raw HTML code that could be used by malicious users to redirect visitors to unwanted websites. It explains that using htmlentities on user-submitted content would prevent this by removing the ability for users to insert active HTML code, while still allowing their content to be displayed. The key recommendation is to use htmlentities anytime users can submit content that other visitors will see, in order to prevent common attacks on the website.

Uploaded by

Anil Kumar
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 1

Dangerous Raw HTML Code:

I am going to hax0r your site, hahaha!


<script type='text/javascript'>
window.location = 'http://www.example.com/'
</script>'

Those two HTML code examples are what you would see if you were to view source on the web page.
However, if you were just viewing the output normally in your browser you would see the following.

Safe Display:
I am going to hax0r your site, hahaha! <script type='text/javascript'> window.location =
'http://www.example.com/' </script>'

Dangerous Display:
You'd see whatever spammer site that the malicious user had sent you to. Probably some
herbal supplement site or weight loss pills would be displayed.

When Would You Use htmlentities?

Anytime you allow users to submit content to your website, that other visitors can see, you should
consider removing the ability to let them use HTML. Although this will remove a lot of cool things that your
users can do, like making heavily customized content, it will prevent your site from a lot of common attacks.
With some custom coding you can just remove specific tags from running, but that is beyond the scope of this
lesson.
Just remember, that when allowing users to submit content to your site you are also giving them access to
your website. Be sure you take the proper precautions.

You might also like