Page 1 of 1
Swift filters?
Posted: Wed Apr 11, 2007 1:48 pm
by Oren
Does Swift do any filtering of the data or supply a class that does so? Or it's totally up to me?
Do I even need to do it or my mail program will do it anyway?
Let's say I have a contact form and I wanted the message to be sent to my email using Swift. Do I need to do anything or I can pass $_POST['msg'] directly to Swift?
Is there any danger in this?
Thanks.
Posted: Wed Apr 11, 2007 1:54 pm
by Chris Corbyn
I worry about injection in the headers and internationalization in the body (assuming you have your web page set up with the correct charset swift is set to use). It's won't filter XSS attacks in HTML emails though. Use HTMLPurifier for that. Hmm... that could actually be a new plugin

Posted: Wed Apr 11, 2007 2:02 pm
by Oren
Ok, thanks. I guess I'll just play with this a little bit and see what happens when I open my mail after sending to myself something like "<script>XSS!</script>" and friends without any filtering
I'll post the results later on - maybe tomorrow or whenever I'm done with the testing.
Posted: Wed Apr 11, 2007 2:14 pm
by Chris Corbyn
Oren wrote:Ok, thanks. I guess I'll just play with this a little bit and see what happens when I open my mail after sending to myself something like "<script>XSS!</script>" and friends without any filtering
I'll post the results later on - maybe tomorrow or whenever I'm done with the testing.
You'd be unlikely to succeed with an XSS attack via email. Most clients disable JS, and web-based services would be foolish not to filter it themselves

Posted: Wed Apr 11, 2007 3:14 pm
by Oren
d11wtq wrote:You'd be unlikely to succeed with an XSS attack via email. Most clients disable JS, and web-based services would be foolish not to filter it themselves

Exactly, that's why I asked if there is any need to filter it at all. Then what do you say, I can just pass $_POST['msg'] to Swift or what?
Posted: Wed Apr 11, 2007 5:16 pm
by Chris Corbyn
Oren wrote:d11wtq wrote:You'd be unlikely to succeed with an XSS attack via email. Most clients disable JS, and web-based services would be foolish not to filter it themselves

Exactly, that's why I asked if there is any need to filter it at all. Then what do you say, I can just pass $_POST['msg'] to Swift or what?
I'd still filter it with HTMLPurifier. It's a piece of cake and there's no harm in filtering yourself. You can't rely on other people's security

Posted: Wed Apr 11, 2007 5:21 pm
by Oren
d11wtq wrote:there's no harm in filtering yourself.
Now that sounds funny, say it loudly

Posted: Wed Apr 11, 2007 5:26 pm
by John Cartwright
Posted: Thu Apr 12, 2007 4:41 am
by Oren
What?
Posted: Wed Oct 24, 2007 3:19 am
by gr8dane
Chris Corbyn wrote:I'd still filter it with HTMLPurifier.
If I understand it correctly, HTMLPurifier cleans up HTML. So I'm curious why you recommend it's use, in conjuction with SwiftMailer, for filtering input from a contact form. What does it do to data that doesn't (or shouldn't) contain HTML markup that makes it more secure? Would just using these two together assure me of a secure form, or are there still things I should do in addition? Also, how would I implement the two together (this is all new to me, so the more details, the better)?
Posted: Thu Oct 25, 2007 3:28 pm
by Ambush Commander
If the input data is not HTML, do not run HTML Purifier on it.
There. I've said it.
On the other hand, if the input data is HTML...