need to sanitize?
Moderator: General Moderators
need to sanitize?
I'm just building a simple form. A user would put in html, a new window will be opened showing them the display of this HTML. Sort of like a "test your html code" thing. The form contents, will not be saved, written to a database, or anything. Just passed through $_POST and then disregarded. Is there any need to sanitize this?
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
I'm going to execute HTML code? I thought HTML was client side and interpreted by the browser. The server will display the HTML, and the only person seeing it will be the one entering it. What should I sanitize it of?
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
If you don't eval() the content, it won't be parsed by the PHP/Zend engine on your server.
much like: will not execute anything on server side.
scottay:
It's better practice to sanitise.. though like you have realised as well, a malicious attacker would be shooting themselves in the foot so to speak, if they tried anything.
I would sanitise it. Not quite sure how I would go about it though, probably rigorous regex's.
much like:
Code: Select all
<?php
echo $_POST['variable'];
?>scottay:
It's better practice to sanitise.. though like you have realised as well, a malicious attacker would be shooting themselves in the foot so to speak, if they tried anything.
I would sanitise it. Not quite sure how I would go about it though, probably rigorous regex's.
This is just a new page, with <?php echo $_POST['htmlcode']; ?>, so I really don't see a reason to sanitize anything. So thanks for your help. 
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
I don't think sanitizing is necessary. I might consider running it through an HTML entity conversion for safety sakes, but essentially the post data will reside in temporary space seeing as the posted data will be immediately displayed on screen to user that posted it. If anyone is going to be affected by it, it will be the person that posted it.
Running it through htmlentities() defeats the object of the page.. it is to allow users to preview HTML code as it would be if it were source, i.e. it is to be parsed by the client. At least that is my understanding ..
I'd sanitise it anyway.. I don't want anything that could be malicious to 'attack' ANY of my users, even if they are the ones to propogate the attack.
I'd sanitise it anyway.. I don't want anything that could be malicious to 'attack' ANY of my users, even if they are the ones to propogate the attack.
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
Yes, that's exactly why I suggested you to sanitise it even though I couldn't think of a possible attack... Maybe a JavaScript attack?Jenk wrote:I'd sanitise it anyway.. I don't want anything that could be malicious to 'attack' ANY of my users, even if they are the ones to propogate the attack.
Read this article by ALA: Community Creators, Secure Your Code!
- Maugrim_The_Reaper
- DevNet Master
- Posts: 2704
- Joined: Tue Nov 02, 2004 5:43 am
- Location: Ireland