Page 1 of 2

need to sanitize?

Posted: Thu Jul 06, 2006 4:48 am
by s.dot
I'm just building a simple form. A user would put in html, a new window will be opened showing them the display of this HTML. Sort of like a "test your html code" thing. The form contents, will not be saved, written to a database, or anything. Just passed through $_POST and then disregarded. Is there any need to sanitize this?

Posted: Thu Jul 06, 2006 5:20 am
by Oren
Of course. You are going to execute this HTML code on your server and therefore you need to sanitize it.

Posted: Thu Jul 06, 2006 5:26 am
by s.dot
I'm going to execute HTML code? I thought HTML was client side and interpreted by the browser. The server will display the HTML, and the only person seeing it will be the one entering it. What should I sanitize it of?

Posted: Thu Jul 06, 2006 5:37 am
by Oren
Yes, but the user can use some PHP code too...

Posted: Thu Jul 06, 2006 6:07 am
by Jenk
If you don't eval() the content, it won't be parsed by the PHP/Zend engine on your server.

much like:

Code: Select all

<?php

echo $_POST['variable'];

?>
will not execute anything on server side.

scottay:

It's better practice to sanitise.. though like you have realised as well, a malicious attacker would be shooting themselves in the foot so to speak, if they tried anything.

I would sanitise it. Not quite sure how I would go about it though, probably rigorous regex's.

Posted: Thu Jul 06, 2006 6:44 am
by Oren
It really depends on the way your script is going to work...
If, for example, you are going to save the user's input in a tmp .php file then it will be parsed.
I'd sanitise any data which comes from my users.

Posted: Thu Jul 06, 2006 6:52 am
by Jenk
Oren wrote:It really depends on the way your script is going to work...
If, for example, you are going to save the user's input in a tmp .php file then it will be parsed.
I'd sanitise any data which comes from my users.
The OP has already said it won't be saved.

Posted: Thu Jul 06, 2006 7:47 am
by Oren
Oh yeah... Sorry for that :P

Posted: Thu Jul 06, 2006 3:38 pm
by s.dot
This is just a new page, with <?php echo $_POST['htmlcode']; ?>, so I really don't see a reason to sanitize anything. So thanks for your help. :-D

Posted: Thu Jul 06, 2006 4:42 pm
by RobertGonzalez
I don't think sanitizing is necessary. I might consider running it through an HTML entity conversion for safety sakes, but essentially the post data will reside in temporary space seeing as the posted data will be immediately displayed on screen to user that posted it. If anyone is going to be affected by it, it will be the person that posted it.

Posted: Thu Jul 06, 2006 9:04 pm
by Jenk
Running it through htmlentities() defeats the object of the page.. it is to allow users to preview HTML code as it would be if it were source, i.e. it is to be parsed by the client. At least that is my understanding ..

I'd sanitise it anyway.. I don't want anything that could be malicious to 'attack' ANY of my users, even if they are the ones to propogate the attack.

Posted: Thu Jul 06, 2006 9:59 pm
by RobertGonzalez
Yeah, you're right. It was probably a stupid suggestion. Too many posts to answer and too little sleep to answer them rightly.

Posted: Fri Jul 07, 2006 3:00 am
by Oren
Jenk wrote:I'd sanitise it anyway.. I don't want anything that could be malicious to 'attack' ANY of my users, even if they are the ones to propogate the attack.
Yes, that's exactly why I suggested you to sanitise it even though I couldn't think of a possible attack... Maybe a JavaScript attack?
Read this article by ALA: Community Creators, Secure Your Code!

Posted: Fri Jul 07, 2006 3:03 am
by Benjamin
Hmmm, if someone wants to attack themself... :?

Posted: Fri Jul 07, 2006 4:44 am
by Maugrim_The_Reaper
User enters HTML, HTML is not stored (even temp), same user is the only one capable of seeing their own HTML.

What's to sanitise?

Unless the data is eval'd, outputted to another user, or stored I see no reason...