Sanitizing input but output not as expected

This is one of my forms(PHP+MySQL, textarea replaced by TinyMCE). It records description with paragraphs, bullets, headings and text alignment (right, left, center and justify).

enter image description here

Once submitted, the record appears as

<p style="text-align: justify;"><strong>Introduction</strong></p>
<p style="text-align: justify;">The death of the pixel leaves you with a flowing, magazine-quality canvas to design for. A canvas where curves are curves, not ugly pixel approximations of curves. A canvas that begins to blur the line between what we consider to be real and what we consider to be virtual.</p>
<p style="text-align: justify;">It wasn't too long ago that there was one set of rules for use of type on print and use of type on screen. Now that we have screens that are essentially print quality, we have to reevaluate these conventions.</p>
<p style="text-align: justify;">Web sites are transforming from boring fields of Arial to embrace the gamut of typographical possibilities offered by web fonts. Web fonts, combined with the style and layout options presented by the creative use of CSS and JavaScript offer a new world of typographic oppor</p>
<li style="text-align: justify;">point 1</li>
<li style="text-align: justify;">point 2</li>
<li style="text-align: justify;">point 3</li>

I read that you need to sanitize any data that goes into the database to avoid XSS and started looking for a solution.

The solution I found is to use “htmlspecialchars()” (Source: – Creating Secure PHP Websites).

So, the tutorial says that we need to sanitize our input before saving to the database and use something like (sample code)

    if($_SERVER['REQUEST_METHOD'] === 'POST') {
        $category_description = $_POST['category_description'];
        echo $category_description;
        echo '<br><br>';
        echo htmlspecialchars($category_description);
        echo '<br><br>';
        echo htmlentities($category_description);
        echo '<br><br>';
        echo strip_tags($category_description);


to avoid XSS.

I get it till here. The htmlspecialchars() function converts some predefined characters to HTML entities, htmlentities() converts characters to HTML entities and strip_tags() removes any tags altogether.

But after using htmlspecialchars(), htmlentities() and strip_tags(), the output now renders as

enter image description here

which I believe is safe but doesn’t looks good on the front page when fetched from database.

How do I render an input which has been passed through htmlspecialchars or htmlentities?


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s