arectiyu rokiyw arectiyu rokiyw - 10 days ago 6
PHP Question

How to test htmlpurifier using php?

First i download htmlpurifier-4.8.0. Then uploaded it to my hosting, this is the code without

htmlpurifier
:

<?PHP
if(isset($_POST["submit"]))
{
include("connect.php");
$dirty_html = mysqli_real_escape_string($db_mysqli,$_POST['xx']);
echo $dirty_html;
}
?>

<form method="post" action="" ENCTYPE = "multipart/form-data">
<input name="xx" type="text">
<input type="submit" name="submit" value="OK">
</form>


In the input
name="xx"
I fill in data
<script>alert("test");</script>777
, and gotten echo
777
.

And here's the code with
htmlpurifier
usage:

<?PHP
if(isset($_POST["submit"]))
{
include("connect.php");
require_once 'htmlpurifier-4.8.0/library/HTMLPurifier.auto.php';
$purifier = new HTMLPurifier();
$dirty_html = mysqli_real_escape_string($db_mysqli,$_POST['xx']);
$clean_html = $purifier->purify($dirty_html);
echo $clean_html;
}
?>
<form method="post" action="" ENCTYPE = "multipart/form-data">
<input name="xx" type="text">
<input type="submit" name="submit" value="OK">
</form>


I repeat the same test with the input. Can someone explain the difference, why
without htmlpurifier
and
with htmlpurifier
I'm getting the same results?

Answer
 $dirty_html = mysqli_real_escape_string($db_mysqli,$_POST['xx']);
 // $dirty_html  has 777 value now 
  $clean_html = $purifier->purify($dirty_html);
 // $clean_html has 777 value because there is nothing to
   purify in 777 which is a valid value

mysqli_real_escape_string already converts the input to 777.