need to sanitize?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

User avatar
Oren
DevNet Resident
Posts: 1640
Joined: Fri Apr 07, 2006 5:13 am
Location: Israel

Post by Oren »

Better safe than sorry.
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

Maugrim_The_Reaper wrote:User enters HTML, HTML is not stored (even temp), same user is the only one capable of seeing their own HTML.

What's to sanitise?

Unless the data is eval'd, outputted to another user, or stored I see no reason...
Hard to explain, is down to my own ethics I guess. It's not a case of better safe then sorry, it's more a case of just not wanting my site to be involved in any form of attack, be it a 'suicide' as would happen in this scenario, or used to attack other users.
User avatar
Oren
DevNet Resident
Posts: 1640
Joined: Fri Apr 07, 2006 5:13 am
Location: Israel

Post by Oren »

When we are talking about securing our sites, applications etc... We also mean/want to prevent one user from attacking other using our site.
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

User enters HTML, HTML is not stored (even temp), same user is the only one capable of seeing their own HTML.

What's to sanitise?

Unless the data is eval'd, outputted to another user, or stored I see no reason...
Here's an idea. Guy makes joke website that has a big, red, fluffy DO NOT PRESS button. Obviously, people press it.

What the form does is sends the system you describe evil HTML, which the server gurgles back. Bang, compromise.

Sure, you could check referrers or use challenges to stop request forging, but wouldn't it be a lot nicer just to do the darn thing properly? (or htmlentity-ize the whole thing)
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Everah wrote:I don't think sanitizing is necessary. I might consider running it through an HTML entity conversion for safety sakes, but essentially the post data will reside in temporary space seeing as the posted data will be immediately displayed on screen to user that posted it. If anyone is going to be affected by it, it will be the person that posted it.
Hey hey, maybe that wasn't such a stupid idea? Eh? :D
Post Reply