text files name is 32viestit21.txt
<?php
if(isset($_POST['send']))
{
if (isset($_SESSION['username']))
$fp = fopen('32viestit21.txt', 'a',1);
$message=$_POST['message'];
// code here
fwrite($fp, "$_SESSION[username]: $message".PHP_EOL);
echo "<script>if ( window.history.replaceState ) {
window.history.replaceState( null, null, window.location.href );
}
document.location.reload()</script>";
}
?>
and the reason why i ask this is that my website has chat and the chat has xss problem and i have to fix it and chat works so that users inputs goes to txt file then php shows the txt file data.
Advertisement
Answer
Use htmlspecialchars() to encode the message.
$message=htmlspecialchars($_POST['message']);