For HTML input, I want to neutralize all HTML elements that have inline js (onclick="..", onmouseout=".." etc). I am thinking, isn't it enough to encode the following chars? =,(,) So onclick="location.href='ggg.com'" will become onclick%3D"location.href%3D'ggg.com'" What am I missing here? Edit: I do need to accept active HTML (I...
What do you all think is the correct (read: most flexible, loosely coupled, most robust, etc.) way to make user input from the web safe for use in various parts of a web application? Obviously we can just use the respective sanitization functions for each context (database, display on screen, save on disk, etc.), but is there some gener...
How do you sanitize data in $_GET -variables by PHP? I sanitize only one variable in GET by strip_tags. I am not sure whether I should sanitize everything or not, because last time in putting data to Postgres, the problem was most easily solved by the use of pg_prepare. ...
I'm writing an application for the iPhone that communicates with a SQLite database but I'm running into a small problem. Whenever I try to query information based on a condition that contains an apostrophe, no results are returned.... even if a result that matches the requested condition exists. Let me give some specifics... SQLite Ta...
I am looking at allowing users to enter JavaScript to specify some logic in my app. The JavaScript would be entered and displayed in a browser, but it would be saved and validated server-side first. This opens up obvious security implications. Ideally, I would want to only allow a subset of the JavaScript language. Intuitively, an op...
Users can edit "articles" in my application. Each article is mastered in the DB and sent to the client as Markdown -- I convert it to HTML client side with Javascript. I'm doing this so that when the user wants to edit the article he can edit and POST the Markdown right back to the server (since it's already on the page). My question i...
Users on my site can post news items. But right now, it's all honor system as far as HTML goes. function postNewsItem($subject, $body, $userid){ $time = time(); $subject = mysql_real_escape_string($subject); $body = mysql_real_escape_string($body); $q = "INSERT INTO news (subject, body, userid) VALUES ('$subject', '$body', '$use...
I have coded the next function. But surely someone has a more elegant way to perform this task. /** * * HTML 4 Specification * ID and NAME tokens must begin with a letter ([A-Za-z]) and may be followed by any number * of letters, digits ([0-9]), hyphens ("-"), underscores ("_"), colons (":"), and periods ("."). * @param s * @re...
Hello, Firstly, I do not have any malicious intent out of this question. I would like to know what text to copy paste and test in my text areas and text boxes to see if they are stripped correctly. Currently I use something as limited as: <script> alert('xss'); </script> <a href="www.test.com" onclick="javascript:alert('xss');">test</...
This is in reference to this (excellent) answer. He states that the best solution for escaping input in PHP is to call mb_convert_encoding followed by html_entities. But why exactly would you call mb_convert_encoding with the same to and from parameters (UTF8)? Does this have some sort of benefit I'm missing? ...
Hello, I am programming a blog and I want the URIs to be the title like the question title here in stackoverflow or like wordpress. What are the rules for sanitizing a URI? Is there an already made code in PHP that does this? Thanks in advance, Omer ...
Is there a .Net library which everyone uses to validate/cleanup user input from website. It seems like there are a lot of posts explaining which regex people use and when. While I do like to reinvent the wheel quite frequently I draw the line at user input. Mostly I am not worried about SQL injection, but rather am concerned about html...
I understand the need to sanitize inputs from a HTML form, but when I sanitized the file upload field in a recent module of mine, the file upload started failing. It's important to sanitize all form inputs, right? Even the special file upload field? My form output code looks something like this: use CGI; my $cgi = new CGI; print $c...
I have a code blog in which I have a user input form for submissions. Whatever goes in that form will appear on one of the pages. Now this is a coding blog, so I don't want to strip any HTML tags or javascript code from the input, but I don't want it to executed at any point. What is the best way to render any input harmless? Is replacin...
I have text stored in SQL as HTML. I'm not guaranteed that this data is well-formed, as users can copy/paste from anywhere into the editor control I'm using, or manually edit the HTML that's generated. The question is: what's the best way of going about removing or somehow ignoring <script/> and <form/> tags so that, when the user's te...
I'm just thinking about the best way to go about sanitizing my data to prevent injection attacks. Some people like to sanitize immediately before output, or immediately before insertion to the database... but the problem I see with this is twofold: (1) what if you miss a paramater/variable? (2) what if you're over-sanitizing? Not that it...
I have a website in php that does include() to embed the content into a template. The page to load is given in a get parameter, I add ".php" to the end of the parameter and include that page. I need to do some security check to avoid XSS or other stuff (not mysql injection since we do not have a database). What I've come up with is the f...
Can anyone provide a function to sanitize input for a UniData query? Or provide a list of things to remove? ...
Ok, so I have been reading about markdown here on SO and elsewhere and the steps between user-input and the db are usually given as convert markdown to html sanitize html (w/whitelist) insert into database but to me it makes more sense to do the following: sanitize markdown (remove all tags - no exceptions) convert to html insert ...
What would be the most efficient way to clean a user input that is a comma seperated string made entirely on numbers - e.g 2,40,23,11,55 I use this function on a lot of my inputs function clean($input){ $input=mysql_real_escape_string(htmlentities($input,ENT_QUOTES)); return $input; } And on simple integers I do: if (!filter_v...