loading...

re: Stealing Accounts with an IMG Tag VIEW POST

FULL DISCUSSION
 

I read all of this and anticipated the part where you tell me how to avoid it and instead only got "go investigate htmlentities" :/

 

Thanks for checking the article out! I've updated the article to be more detailed in this area, but I'll include that in this reply as well. When you allow a user to post text to your site, you take the text they posted on the backend and escape it with the htmlentities function if you're using PHP.

$postedText = htmlentities($postedText);

It's just that simple. This will get rid of any img tags that users try to inject.

 
Code of Conduct Report abuse