Posted: Fri Jul 07, 2006 5:14 am
Better safe than sorry.
A community of PHP developers offering assistance, advice, discussion, and friendship.
http://forums.devnetwork.net/
Hard to explain, is down to my own ethics I guess. It's not a case of better safe then sorry, it's more a case of just not wanting my site to be involved in any form of attack, be it a 'suicide' as would happen in this scenario, or used to attack other users.Maugrim_The_Reaper wrote:User enters HTML, HTML is not stored (even temp), same user is the only one capable of seeing their own HTML.
What's to sanitise?
Unless the data is eval'd, outputted to another user, or stored I see no reason...
Here's an idea. Guy makes joke website that has a big, red, fluffy DO NOT PRESS button. Obviously, people press it.User enters HTML, HTML is not stored (even temp), same user is the only one capable of seeing their own HTML.
What's to sanitise?
Unless the data is eval'd, outputted to another user, or stored I see no reason...
Hey hey, maybe that wasn't such a stupid idea? Eh?Everah wrote:I don't think sanitizing is necessary. I might consider running it through an HTML entity conversion for safety sakes, but essentially the post data will reside in temporary space seeing as the posted data will be immediately displayed on screen to user that posted it. If anyone is going to be affected by it, it will be the person that posted it.