how to replace specified characters with space in a text file with php

text files name is 32viestit21.txt

<?php
  if(isset($_POST['send']))
  {
  if (isset($_SESSION['username']))
  $fp = fopen('32viestit21.txt', 'a',1);
  $message=$_POST['message'];

 // code here

  fwrite($fp, "$_SESSION[username]: $message".PHP_EOL);
        echo "<script>if ( window.history.replaceState ) {
  window.history.replaceState( null, null, window.location.href );
}
document.location.reload()</script>";
  }
?>

JavaScript
​x
 
<?php  if(isset($_POST['send']))  {  if (isset($_SESSION['username']))  $fp = fopen('32viestit21.txt', 'a',1);  $message=$_POST['message'];​ // code here​  fwrite($fp, "$_SESSION[username]: $message".PHP_EOL);        echo "<script>if ( window.history.replaceState ) {  window.history.replaceState( null, null, window.location.href );}document.location.reload()</script>";  }?>​

and the reason why i ask this is that my website has chat and the chat has xss problem and i have to fix it and chat works so that users inputs goes to txt file then php shows the txt file data.

Answer

Use htmlspecialchars() to encode the message.

$message=htmlspecialchars($_POST['message']);

JavaScript
 
$message=htmlspecialchars($_POST['message']);​

Advertisement

Answer