On 20/06/16 07:00, Niklas Keller wrote:
>> Now ... I want to add content that includes
>> > <script>alert("xss")</script> it needs to be in the format
>> > <script>alert("xss")<script> so that it never
>> > appears in the 'dangerous' format, but if $user['about_me'] is
>> > designated a simple text string, then any attempt to add
>> > <script>alert("xss")</script> via an input should be blocked!
>
> No, it shouldn't be blocked. It should just be escaped on output. What if
> that's a comment to a tech blog, where we talk about these things instead
> of trying to find a vulnerability?
Re-read what I wrote!
You should ALWAYS sanitise simple text such as short descriptions, and
even user names and other simple text fields and I would always do that
with strings like $user['about_me'] ... '<?~' creates a false sense of
security when users should be educated as to the risks that NOT
validating data can create. Such as overflowing field sizes and creating
text which internally can cause problem even before outputting to a
browser ... such as quotes in combined strings.
( Rowan sums up the output side nicely ... )
--
Lester Caine - G8HFL
-----------------------------
Contact - http://lsces.co.uk/wiki/?page=contact
L.S.Caine Electronic Services - http://lsces.co.uk
EnquirySolve - http://enquirysolve.com/
Model Engineers Digital Workshop - http://medw.co.uk
Rainbow Digital Media - http://rainbowdigitalmedia.co.uk
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
