View Full Version : how to store javascript in DB, so it does not execute when 'code' is later displayed

10-30-2012, 11:02 AM
I have just found a bug in my code that allows members to add in some javascript to their profiles and this is being executed when their profiles are being viewed by other members.

after doing a simple test like so myself, i see that the JS is being stored so it functions normally when viewed.

<script language='JavaScript'>

How do I stop the JS from running but instead allow it to show as text instead. the profile field they fill out should not have JS at all, but only just came to light that this problem exists!

Any help on this would be much appreciated.

10-30-2012, 12:43 PM
Always pass all the values entered by users through function htmlentities() before echoing on your site. Or use strip_tags() to remove all html tags in it.