On 19/06/16 19:33, Михаил Востриков wrote:
> Lester
>
>> > there is NO need to simply slap htmlspecialchars() onto
>> > properly built data
> There are many cases when user data can contain quotes or other html
> entities.
>
> <img title="<?= $book['title'] ?>" />
> // $book['title'] = 'When we say "Hello"';
>
> <div><?= $user['about_me'] ?></div>
> // $user['about_me'] = 'I am a programmer. I like to write
> <script>alert("xss")</script> in "About me" field';
( Cut moan about top posting and duplicating sigs and I use plain text
for any email archive )
Now ... I want to add content that includes
<script>alert("xss")</script> it needs to be in the format
<script>alert("xss")<script> so that it never
appears in the 'dangerous' format, but if $user['about_me'] is
designated a simple text string, then any attempt to add
<script>alert("xss")</script> via an input should be blocked! The input
processing of text needs to understand what it is expecting to receive
and process it accordingly, so if the content is material such as email
messages it can be correctly processed for storage by escaping if
necessary. The fun comes when you are looking for content such as "About
me" AFTER the data has been sanitised. In this case the search term
needs to be processed as well so "About me" ... so again one
needs to know just what state the data is in and my input process
converts ' to ' as well to be safe when using single quotes.
Of cause there are very good reasons why messages and comments should be
limited to simple text. Many Wordpress/Joomla/etc problems would have
been prevented if the trend to use HTML for everything had not started.
Strip any tags and just leave the raw text is ideal for comment fields
which can be the target for scammers where uncontrolled access may be
required. And if there is a limit on field size in the database, the
same restriction should apply to the data entry ... If the data is
expanded by the sanitising process that also needs to be taken into
account, along with multi byte characters.
--
Lester Caine - G8HFL
-----------------------------
Contact - http://lsces.co.uk/wiki/?page=contact
L.S.Caine Electronic Services - http://lsces.co.uk
EnquirySolve - http://enquirysolve.com/
Model Engineers Digital Workshop - http://medw.co.uk
Rainbow Digital Media - http://rainbowdigitalmedia.co.uk
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
