need to sanitize?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

need to sanitize?

Post by s.dot »

I'm just building a simple form. A user would put in html, a new window will be opened showing them the display of this HTML. Sort of like a "test your html code" thing. The form contents, will not be saved, written to a database, or anything. Just passed through $_POST and then disregarded. Is there any need to sanitize this?
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
Oren
DevNet Resident
Posts: 1640
Joined: Fri Apr 07, 2006 5:13 am
Location: Israel

Post by Oren »

Of course. You are going to execute this HTML code on your server and therefore you need to sanitize it.
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

I'm going to execute HTML code? I thought HTML was client side and interpreted by the browser. The server will display the HTML, and the only person seeing it will be the one entering it. What should I sanitize it of?
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
Oren
DevNet Resident
Posts: 1640
Joined: Fri Apr 07, 2006 5:13 am
Location: Israel

Post by Oren »

Yes, but the user can use some PHP code too...
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

If you don't eval() the content, it won't be parsed by the PHP/Zend engine on your server.

much like:

Code: Select all

<?php

echo $_POST['variable'];

?>
will not execute anything on server side.

scottay:

It's better practice to sanitise.. though like you have realised as well, a malicious attacker would be shooting themselves in the foot so to speak, if they tried anything.

I would sanitise it. Not quite sure how I would go about it though, probably rigorous regex's.
User avatar
Oren
DevNet Resident
Posts: 1640
Joined: Fri Apr 07, 2006 5:13 am
Location: Israel

Post by Oren »

It really depends on the way your script is going to work...
If, for example, you are going to save the user's input in a tmp .php file then it will be parsed.
I'd sanitise any data which comes from my users.
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

Oren wrote:It really depends on the way your script is going to work...
If, for example, you are going to save the user's input in a tmp .php file then it will be parsed.
I'd sanitise any data which comes from my users.
The OP has already said it won't be saved.
User avatar
Oren
DevNet Resident
Posts: 1640
Joined: Fri Apr 07, 2006 5:13 am
Location: Israel

Post by Oren »

Oh yeah... Sorry for that :P
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

This is just a new page, with <?php echo $_POST['htmlcode']; ?>, so I really don't see a reason to sanitize anything. So thanks for your help. :-D
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

I don't think sanitizing is necessary. I might consider running it through an HTML entity conversion for safety sakes, but essentially the post data will reside in temporary space seeing as the posted data will be immediately displayed on screen to user that posted it. If anyone is going to be affected by it, it will be the person that posted it.
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

Running it through htmlentities() defeats the object of the page.. it is to allow users to preview HTML code as it would be if it were source, i.e. it is to be parsed by the client. At least that is my understanding ..

I'd sanitise it anyway.. I don't want anything that could be malicious to 'attack' ANY of my users, even if they are the ones to propogate the attack.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Yeah, you're right. It was probably a stupid suggestion. Too many posts to answer and too little sleep to answer them rightly.
User avatar
Oren
DevNet Resident
Posts: 1640
Joined: Fri Apr 07, 2006 5:13 am
Location: Israel

Post by Oren »

Jenk wrote:I'd sanitise it anyway.. I don't want anything that could be malicious to 'attack' ANY of my users, even if they are the ones to propogate the attack.
Yes, that's exactly why I suggested you to sanitise it even though I couldn't think of a possible attack... Maybe a JavaScript attack?
Read this article by ALA: Community Creators, Secure Your Code!
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

Hmmm, if someone wants to attack themself... :?
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

User enters HTML, HTML is not stored (even temp), same user is the only one capable of seeing their own HTML.

What's to sanitise?

Unless the data is eval'd, outputted to another user, or stored I see no reason...
Post Reply