Swift filters?
Moderators: Chris Corbyn, General Moderators
Swift filters?
Does Swift do any filtering of the data or supply a class that does so? Or it's totally up to me?
Do I even need to do it or my mail program will do it anyway?
Let's say I have a contact form and I wanted the message to be sent to my email using Swift. Do I need to do anything or I can pass $_POST['msg'] directly to Swift?
Is there any danger in this?
Thanks.
Do I even need to do it or my mail program will do it anyway?
Let's say I have a contact form and I wanted the message to be sent to my email using Swift. Do I need to do anything or I can pass $_POST['msg'] directly to Swift?
Is there any danger in this?
Thanks.
- Chris Corbyn
- Breakbeat Nuttzer
- Posts: 13098
- Joined: Wed Mar 24, 2004 7:57 am
- Location: Melbourne, Australia
- Chris Corbyn
- Breakbeat Nuttzer
- Posts: 13098
- Joined: Wed Mar 24, 2004 7:57 am
- Location: Melbourne, Australia
You'd be unlikely to succeed with an XSS attack via email. Most clients disable JS, and web-based services would be foolish not to filter it themselvesOren wrote:Ok, thanks. I guess I'll just play with this a little bit and see what happens when I open my mail after sending to myself something like "<script>XSS!</script>" and friends without any filtering![]()
I'll post the results later on - maybe tomorrow or whenever I'm done with the testing.
Exactly, that's why I asked if there is any need to filter it at all. Then what do you say, I can just pass $_POST['msg'] to Swift or what?d11wtq wrote:You'd be unlikely to succeed with an XSS attack via email. Most clients disable JS, and web-based services would be foolish not to filter it themselves
- Chris Corbyn
- Breakbeat Nuttzer
- Posts: 13098
- Joined: Wed Mar 24, 2004 7:57 am
- Location: Melbourne, Australia
I'd still filter it with HTMLPurifier. It's a piece of cake and there's no harm in filtering yourself. You can't rely on other people's securityOren wrote:Exactly, that's why I asked if there is any need to filter it at all. Then what do you say, I can just pass $_POST['msg'] to Swift or what?d11wtq wrote:You'd be unlikely to succeed with an XSS attack via email. Most clients disable JS, and web-based services would be foolish not to filter it themselves
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
If I understand it correctly, HTMLPurifier cleans up HTML. So I'm curious why you recommend it's use, in conjuction with SwiftMailer, for filtering input from a contact form. What does it do to data that doesn't (or shouldn't) contain HTML markup that makes it more secure? Would just using these two together assure me of a secure form, or are there still things I should do in addition? Also, how would I implement the two together (this is all new to me, so the more details, the better)?Chris Corbyn wrote:I'd still filter it with HTMLPurifier.
- Ambush Commander
- DevNet Master
- Posts: 3698
- Joined: Mon Oct 25, 2004 9:29 pm
- Location: New Jersey, US
