Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A for any cross site scripting information. Feel free to ask away. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Best way to sanitize input?
Posted by: doody
Date: August 02, 2010 03:13AM

I'm looking for the best way to sanitize all my input using PHP. I want it to be just like Facebook: only plain text is allowed, no tags of any sort.



Edited 1 time(s). Last edit at 08/02/2010 03:13AM by doody.

Options: ReplyQuote
Re: Best way to sanitize input?
Posted by: Gareth Heyes
Date: August 02, 2010 03:32AM

Whitelist + escape output

$output = preg_replace("/[^0-9a-zA-Z ,.';()&!?=-]/","", $_GET['input']);
$output = htmlentities($output, ENT_QUOTES, 'UTF-8');

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Best way to sanitize input?
Posted by: doody
Date: August 02, 2010 07:15AM

Hmm but the preg_match also stops me from using < and > characters. Would it be safe to add that in to the regexp?

Edit: I decided to try with the preg_match line commented out. Looks safe since I can do stuff like <b>bold text</b> but it'll be displayed verbatim. Is there any workaround that I might not know of?



Edited 1 time(s). Last edit at 08/02/2010 07:24AM by doody.

Options: ReplyQuote
Re: Best way to sanitize input?
Posted by: Gareth Heyes
Date: August 02, 2010 07:24AM

@doody

Yeah you could add them but you said plaintext so I thought you didn't want to include them. It's also a good idea to limit the length too. So in summary restrict each variable to a whitelist of characters, limit the length and finally escape the output depending on the context.

If you'd like to add plain html to your site I've been working on a method in JavaScript to do that:-
http://code.google.com/p/htmlreg/source/browse/trunk/HTMLReg/samples/test.php

Or alternatively you can use htmlpurifier:-
http://htmlpurifier.org/

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Best way to sanitize input?
Posted by: doody
Date: August 02, 2010 07:26AM

Edit: I decided to try with the preg_match line commented out. Looks safe since I can do stuff like <b>bold text</b> but it'll be displayed verbatim. Is there any workaround that I might not know of?

Options: ReplyQuote
Re: Best way to sanitize input?
Posted by: Skyphire
Date: August 03, 2010 02:08PM

if you want bbcode, you can do it like this:

$value = htmlspecialchars($value, ENT_QUOTES, 'UTF-8');

$value = str_replace("[ b]","<b>",$value); <-- remove space, because of board.
$value = str_replace("[/b]","</b>",$value);

etc...

Options: ReplyQuote
Re: Best way to sanitize input?
Posted by: Kyo
Date: February 15, 2011 06:29PM

Not really a good idea to replace closing and opening tags seperately, if you're going for valid (x)html

edit: I posted on an old thread again, didn't I?



Edited 1 time(s). Last edit at 02/15/2011 06:29PM by Kyo.

Options: ReplyQuote


Sorry, only registered users may post in this forum.