I’m currently working on a user management system.
I have the register and sign-in page among other sites, that all use the $_GET function. After experimenting around a bit I noticed that you can print HTML code from the GET parameters when you exactly know what you are doing. There is probably a way to exploit this by using the onerror in an img tag e.g.
How can I prevent this from happening?
The URL: users.php?s=login&mail=">%20<img%20src=%27../images/notification_bell.png%27%20width=%2725px%27>
What it displays:
And my code:
print ' <form action="' .$url. '" method="post">
<input type="hidden" name="a" value="login"/>
<b><label for="mail">E-Mail:</label></b>
<input type="email" id="mail" name="mail" maxlength="50" value="' .$mail. '" required><br><br>
How can I prevent this from happening?
>Solution :
use htmlspecialchars to convert user-defined characters into web-safe code. https://www.php.net/htmlspecialchars
also, maybe you could use filter_var to validate the email and simply unset it if it’s invalid. https://www.php.net/filter_var