- This topic is empty.
August 11, 2013 at 5:18 pm #146455
I’m working on a forum where users can input there own posts (and later edit them) and I need their input to be properly escaped, sanitysed, validated,… This may not seem like a difficult thing to do but I ran into some serious problems along the way.
I think I’m finished with the post content escaping, here is how I did it using HTMLPurifier:
$content = Markdown::defaultTransform($_POST['content']); $config = HTMLPurifier_Config::createDefault(); $config->set('Core.Encoding', 'UTF-8'); $config->set('HTML.Doctype', 'XHTML 1.0 Transitional'); $config->set('Cache.DefinitionImpl', null); $config->set('HTML.Allowed', 'a[href|title],blockquote[cite],p,ul,li,strong,em,pre,code,img[src]'); $purifier = new HTMLPurifier($config); $title = $purifier->purify($title); $content = $purifier->purify($content);
The input is markdown so first I convert that into HTML an then I purify the HTML with HTMLPurifier.
This was the easy part however doing the same for the post title is way harder.. I can get the title input ready to be inserted in the database fairly easy by doing this:
$title = htmlentities(preg_replace('!\s+!', ' ', trim($_POST['title'])), ENT_QUOTES);
This will deal with single quotes, double quotes, < and >.
test <"> test <'>will be converted into
test <"> test <'>. (with less then, quote, greater then, …)
Then I insert the newly converted string into the database. Up to this point I think I’m doing everything ok but once my users need to edit the post title I need to get it out of the database and in an input type “text”. This is where I got screwed up..
When I get the string
test <"> test <'>(with less then, quote, greater then, …) from the database and insert it into the value of the input type “text” it appears correctly, but if I want to purify it like the content the
single quoteturn back into
Is the post title still secured from xss injection when I don’t purify it?
Or are there better/easyer alternative ways of doing this?
Note: I am using PDO so escaping input data to prevent sql injection won’t be an issue.August 12, 2013 at 6:56 am #146504
Be aware that “using PDO” does not, in and of itself, do anything special in terms of SQL injection. Do you mean to say that you’re using prepared statements?
Yup I’m using prepared statements, sorry my bad :)
Since you’re allowing users to come back and edit things, I would suggest saving the original (non-htmlpurifier’d) content in the database alongside the “display-ready” content.
Yes I’m already saving both in the database but shouldn’t I purify the original too? It’s only echoed inside a <textfield> but what if they just put </textfield> and their ‘evil code’?
as long as you remember to clean it up before printing it.
htmlentitieswould prevent this but isn’t it better to run that function once and insert the ‘clean input’ into the database rather than calling it every time it gets requested?August 12, 2013 at 12:24 pm #146556
@traq could you please if you want to and if you’ve got time take a look at my code? I’m kind of confused is the least you can say…August 12, 2013 at 12:35 pm #146559
Ok thanks for the support :)
- The forum ‘Back End’ is closed to new topics and replies.