Lester Caine <les...@lsces.co.uk> schrieb am So., 19. Juni 2016, 22:03:
> On 19/06/16 19:33, Михаил Востриков wrote:
> > Lester
> >
> >> > there is NO need to simply slap htmlspecialchars() onto
> >> > properly built data
> > There are many cases when user data can contain quotes or other html
> > entities.
> >
> > <img title="<?= $book['title'] ?>" />
> > // $book['title'] = 'When we say "Hello"';
> >
> > <div><?= $user['about_me'] ?></div>
> > // $user['about_me'] = 'I am a programmer. I like to write
> > <script>alert("xss")</script> in "About me" field';
>
> ( Cut moan about top posting and duplicating sigs and I use plain text
> for any email archive )
>
> Now ... I want to add content that includes
> <script>alert("xss")</script> it needs to be in the format
> <script>alert("xss")<script> so that it never
> appears in the 'dangerous' format, but if $user['about_me'] is
> designated a simple text string, then any attempt to add
> <script>alert("xss")</script> via an input should be blocked!
No, it shouldn't be blocked. It should just be escaped on output. What if
that's a comment to a tech blog, where we talk about these things instead
of trying to find a vulnerability?
The input
processing of text needs to understand what it is expecting to receive
> and process it accordingly, so if the content is material such as email
> messages it can be correctly processed for storage by escaping if
> necessary. The fun comes when you are looking for content such as "About
> me" AFTER the data has been sanitised. In this case the search term
> needs to be processed as well so "About me" ...
One more reason not to escape on input.
so again one
> needs to know just what state the data is in and my input process
> converts ' to ' as well to be safe when using single quotes.
>
What if you suddenly start to output it in JSON or plain text format?
Suddenly you need a different escaping.
You really shouldn't escape on input, as your input doesn't know where it's
used.
What you should do on input is validation, so decide whether it's in the
right format. But if it doesn't validate, you reject it and don't even save
it.
Of cause there are very good reasons why messages and comments should be
> limited to simple text. Many Wordpress/Joomla/etc problems would have
> been prevented if the trend to use HTML for everything had not started.
> Strip any tags and just leave the raw text is ideal for comment fields
> which can be the target for scammers where uncontrolled access may be
> required. And if there is a limit on field size in the database, the
> same restriction should apply to the data entry ... If the data is
> expanded by the sanitising process that also needs to be taken into
> account, along with multi byte characters.
>
> --
> Lester Caine - G8HFL
> -----------------------------
> Contact - http://lsces.co.uk/wiki/?page=contact
> L.S.Caine Electronic Services - http://lsces.co.uk
> EnquirySolve - http://enquirysolve.com/
> Model Engineers Digital Workshop - http://medw.co.uk
> Rainbow Digital Media - http://rainbowdigitalmedia.co.uk
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
