contact_us.php

<form action="contact.php" method="POST">      
<table border="0" cellpadding="2">
<tr>	
         <td>Name  : </td>
 	<td><input name="nama" type="text" value="" size="30" /></td>
</tr>
<tr>    
         <td>E-mail: </td>
	<td><input name="email" type="text" value="" size="20" /></td>
</tr>    
<tr>
	<td>Your message  : </td>
	<td><textarea name="comments" cols=30 rows=6></textarea></td>
</tr>
<tr>
	<td></td>
    <td><input name="send message" type="button" value="send message" /> 
</table>
</form>

Hello, out of this form I would like to create a form that's free from XXS attack. How to do so?

no magic follow security rules. here is one of them concerning the question:

Before putting user input in HTML output, ALWAYS CONVERT control chars to HTML entities. This protects against cross-site scripting (XSS) or messing up your output with custom HTML

Source:
I would add to that, since it is a form, then limit HTML tags to a fixed list (bold Italic et al look at stack overflow comments) and then filter out anything else. That is, you have a whitelist and discard any other tag as invalid. you can use BB code also and convert BB tag to HTML on your server side script. Just note the rule above and choose your own remedy!

More or less the following code are safe from XXS attack right? Assuming I change the form action to send_email.php

send_email.php

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
</head>

<body>

<?php
$kepada=$_GET["kepada"];
$nama = $_GET["nama"];
$email = $_GET["email"];
$subjek = $_GET["subjek"];
$comments = $_GET["comments"];
?> 
 
<?php
// using htmlentities

$newkepada= htmlspecialchars($kepada, ENT_QUOTES);
$newnama= htmlspecialchars($nama, ENT_QUOTES);
$newemail = htmlspecialchars($email, ENT_QUOTES);
$newsubjek = htmlspecialchars($subjek, ENT_QUOTES);
$newcomments = htmlspecialchars($comments, ENT_QUOTES); 
 
?> 
 
<h1>Demo Send Email</h1>
<hr>
Kepada : <?php echo $kepada; ?>
Subject : <?php echo $subjek; ?>
Pesan : <?php echo $pesan; ?>
Dari : <?php echo $dari; ?>
<br />
<?php
ini_set("SMTP", "172.16.1.1");
ini_set("sendmail_from", "$email");
mail("$kepada", "$subjek", "$comments");
?>

Telah dilakukan!

</body>
</html>

More or less the following code are safe from XXS attack right? Assuming I change the form action to send_email.php

send_email.php

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
</head>

<body>

<?php
$kepada=$_GET["kepada"];
$nama = $_GET["nama"];
$email = $_GET["email"];
$subjek = $_GET["subjek"];
$comments = $_GET["comments"];
?> 
 
<?php
// using htmlentities

$newkepada= htmlspecialchars($kepada, ENT_QUOTES);
$newnama= htmlspecialchars($nama, ENT_QUOTES);
$newemail = htmlspecialchars($email, ENT_QUOTES);
$newsubjek = htmlspecialchars($subjek, ENT_QUOTES);
$newcomments = htmlspecialchars($comments, ENT_QUOTES); 
 
?> 
 
<h1>Demo Send Email</h1>
<hr>
Kepada : <?php echo $kepada; ?>
Subject : <?php echo $subjek; ?>
Pesan : <?php echo $pesan; ?>
Dari : <?php echo $dari; ?>
<br />
<?php
ini_set("SMTP", "172.16.1.1");
ini_set("sendmail_from", "$email");
mail("$kepada", "$subjek", "$comments");
?>

Telah dilakukan!

</body>
</html>

Do email need to have formatting or not?

Do you mean formatting like ckeditor? no.

Do you mean formatting like ckeditor? no.

Then strip off all <xxx> </xxx> tags and leave only plain text. you are safe with no tag!

Like this ?

komentar.php

<?php

$nama = isset($_POST['nama']) ? $_POST['nama'] : '';
$comments = isset($_POST['comments']) ? $_POST['comments'] : '';
 
// escape output

$newnama= htmlspecialchars($nama, ENT_QUOTES);
$newcomments = htmlspecialchars($comments, ENT_QUOTES); 
 
// filter input

Echo sanitize_data($newnama);
Echo sanitize_data($newcomments);


function sanitize_data($input_data) { 
return htmlentities(stripslashes($input_data), ENT_QUOTES); 
} 

?>

I wonder why I do not see comments as output?

This code is the form code before komentar.php

komentar.php

<html>

Cross Site Scripting Security
<form action="komentar.php" method="POST">
Nama:
<input type="textbox" name="nama" /><br />
Komentar:<textarea name="comments" rows=10 cols=40></textarea><br />
<input type="submit" />
</form>

</html>

I only see nama (translate: name) as output after I input name, but not comments.

Echo and echo are different beasts!
One is PHP function another is ??????

Thanks. it works. one more thing:

receive.php

<html>

<?php

$nama = isset($_POST['nama']) ? $_POST ['nama'] : '';
$color =  isset($_POST['color']) ? $_POST ['color'] : '';


$newnama = htmlspecialchars($nama, ENT_QUOTES);
$newcolor =  htmlspecialchars($color, ENT_QUOTES);


RemoveBad($newnama);
RemoveBad($newcolor);


function RemoveBad(strTemp) { 
    strTemp = strTemp.replace(/\<|\>|\|\|\%|\;|\(|\)|\&|\+|\-/g,""); 
    return strTemp;
} 

?>

<h1> Print Output </h1>
Nama  :  <?php echo $newnama ?>
Color   :  <?php echo $newcolor ?>

</html>

Parse error: syntax error, unexpected ')', expecting '&' or T_VARIABLE in C:\xampp\htdocs\php_exercise\receive.php on line 17

line 17: function RemoveBad(strTemp) {

Are you sure

strTemp = strTemp.replace(/\<|\>|\|\|\%|\;|\(|\)|\&|\+|\-/g,"");

is not supposed to be

strTemp = strTemp.replace("/\<|\>|\|\|\%|\;|\(|\)|\&|\+|\-/g","");

Still error.

Parse error: syntax error, unexpected ')', expecting '&' or T_VARIABLE in C:\xampp\htdocs\php_exercise\receive.php on line 17

strTemp = strTemp.replace("/\<|\>|\|\|\%|\;|\(|\)|\&|\+|\-/g","");

mh, are you sure strTemp is not supposed to be $strTemp?

function RemoveBad($strTemp) { 
    $strTemp = $strTemp.replace("/\<|\>|\|\|\%|\;|\(|\)|\&|\+|\-/g","");
    return $strTemp;
}

Fatal error: Call to undefined function replace() in C:\xampp\htdocs\php_exercise\receive.php on line 18

function RemoveBad($strTemp) { 
    $strTemp = $strTemp.replace("/\<|\>|\|\|\%|\;|\(|\)|\&|\+|\-/g","");
    return $strTemp;
}

Fatal error: Call to undefined function replace() in C:\xampp\htdocs\php_exercise\receive.php on line 18

what is your programming languages background?
in PHP we do it this way

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.