Welcome! Log In Create A New Profile

Advanced

[PHP] Dealing With User Entering a Script

Posted by Stephen 
Stephen
[PHP] Dealing With User Entering a Script
December 13, 2016 05:41AM
I dug back to see where I git the idea of using htmlentities() on user
input.

This came from the book Modern PHP and deals with a user entering in a
text box something like:

<script>window.location.href='http://example.com';</script>

Is there a better way of dealing with this?


For context, I am creating a user registration field and there is a
textarea field for their bio.

Thank you!

--
Stephen

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Ashley Sheridan
Re: [PHP] Dealing With User Entering a Script
December 13, 2016 05:41AM
On Fri, 2016-07-22 at 14:19 -0400, Stephen wrote:
> I dug back to see where I git the idea of using htmlentities() on user
> input.
>
> This came from the book Modern PHP and deals with a user entering in a
> text box something like:
>
> <script>window.location.href='http://example.com';</script>
>
> Is there a better way of dealing with this?
>
>
> For context, I am creating a user registration field and there is a
> textarea field for their bio.
>
> Thank you!
>
> --
> Stephen
>

That script tag is not a problem if you're putting that data into a
database. The DB doesn't need to be protected against anything other
than SQL injection, which a <script> tag is not.

You only use htmlentities (now you might be better using filter_var -
look up the manual for usage) when outputting that content onto a page
that is HTML (or XML). If you're not outputting it, or outputting it as
PDF or text, then you won't need to run that (you'll need other things
possibly instead, particularly for PDF)

It's typically a bad idea to alter data in this way, as it cannot be
undone, and it isn't applicable to the DB anyway.

Thanks,
Ash

http://www.ashleysheridan.co.uk




--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Jeffry Killen
Re: [PHP] Dealing With User Entering a Script
December 13, 2016 05:41AM
On Jul 22, 2016, at 11:19 AM, Stephen wrote:

> I dug back to see where I git the idea of using htmlentities() on
> user input.
>
> This came from the book Modern PHP and deals with a user entering in
> a text box something like:
>
> <script>window.location.href='http://example.com';</script>
>
> Is there a better way of dealing with this?
>
>
> For context, I am creating a user registration field and there is a
> textarea field for their bio.
>
> Thank you!
>
> --
> Stephen
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>

There should not be a problem with script code entered into a text
field or
textarea element because the browser treats it like a single quoted
string.
So the script won't be run in the client.

I would have php look for embedded script tags and str_replace() them
when the form data is submitted. OR, if you are up on javascript, have
it
intercept the submit process and clean the form input.

I have developed a crude way of editing source code that load anything
and every thing into a textarea element for editing with no worry of the
browser executing any code in the textarea. Even php open and close
tags in php script files won't cause it to run php code.

JK

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Ashley Sheridan
Re: [PHP] Dealing With User Entering a Script
December 13, 2016 05:41AM
On Fri, 2016-07-22 at 13:52 -0700, Jeffry Killen wrote:
> On Jul 22, 2016, at 11:19 AM, Stephen wrote:
>
> > I dug back to see where I git the idea of using htmlentities() on
> > user input.
> >
> > This came from the book Modern PHP and deals with a user entering in
> > a text box something like:
> >
> > <script>window.location.href='http://example.com';</script>
> >
> > Is there a better way of dealing with this?
> >
> >
> > For context, I am creating a user registration field and there is a
> > textarea field for their bio.
> >
> > Thank you!
> >
> > --
> > Stephen
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
>
> There should not be a problem with script code entered into a text
> field or
> textarea element because the browser treats it like a single quoted
> string.
> So the script won't be run in the client.
>
> I would have php look for embedded script tags and str_replace() them
> when the form data is submitted. OR, if you are up on javascript, have
> it
> intercept the submit process and clean the form input.
>
> I have developed a crude way of editing source code that load anything
> and every thing into a textarea element for editing with no worry of the
> browser executing any code in the textarea. Even php open and close
> tags in php script files won't cause it to run php code.
>
> JK
>

You should never solely rely on any client-side validation, as that is
easily circumvented.

As I said before, you shouldn't be looking to just alter content
submitted to your app if it doesn't need it. If that data is only going
to the DB, then it does not need <script> tags removed.

If you're displaying that user-supplied content on your website
afterwards, then sanitise it only at the point that it is being
displayed.

I know it's very tempting to just clobber user input with everything
that is at hand, but it really pays off to understand the entire process
of the route data takes through your application and the risks at each
part. Running HTML sanitisation on data intended for a database is not
advised and sometimes pointless (e.g. an app that outputs user
submissions into a CSV for download).

I wrote something on this just under 2 years ago for my last company as
part of a coding standards document:
https://github.com/tmwagency/TMW-PHP-coding-standards/blob/master/php%
20coding%20standards%20github%20format.md#sql-injection

It also has a link to more resources on why running htmlentities before
a database insert is not recommended.

Thanks,
Ash

http://www.ashleysheridan.co.uk




--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Stephen
Re: [PHP] Dealing With User Entering a Script
December 13, 2016 05:41AM
On 16-07-22 02:42 PM, Ashley Sheridan wrote:
> On Fri, 2016-07-22 at 14:19 -0400, Stephen wrote:
>> I dug back to see where I git the idea of using htmlentities() on user
>> input.
>>
>> This came from the book Modern PHP and deals with a user entering in a
>> text box something like:
>>
>> <script>window.location.href='http://example.com';</script>
>>
>> Is there a better way of dealing with this?
>>
>>
>> For context, I am creating a user registration field and there is a
>> textarea field for their bio.
>>
>> Thank you!
>>
>> --
>> Stephen
>>
>
> That script tag is not a problem if you're putting that data into a
> database. The DB doesn't need to be protected against anything other
> than SQL injection, which a <script> tag is not.
>
> You only use htmlentities (now you might be better using filter_var -
> look up the manual for usage) when outputting that content onto a page
> that is HTML (or XML). If you're not outputting it, or outputting it as
> PDF or text, then you won't need to run that (you'll need other things
> possibly instead, particularly for PDF)
>
> It's typically a bad idea to alter data in this way, as it cannot be
> undone, and it isn't applicable to the DB anyway.

To learn, I push back.

Why has BBcode become the norm on most bulletin board like web sites?

--
Stephen

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Tedd Sperling
Re: [PHP] Dealing With User Entering a Script
December 13, 2016 05:41AM
Hi:

You asked:

> Is there a better way of dealing with this?

When dealing with any web-data you collect, you need to consider what you’re going to do with it.

I think "Richard Lynch” said it best:

<quote>

You're actually conflating not one, but TWO (!) different problems.

Number 1 is to "filter input".
What that means specifically is to be sure that the user input looks
EXACTLY the way you expect.

Number 2 is to "escape output"
What that means specifically is to transform any given chunk of data
to a format suitable for its output medium.

For example, ANY output headed to the browser should have
http://php.net/htmlentities called on it.

If it's headed out to a database, it should have a database-specific
function called, such as http://php.net/mysql_real_escape_string

If it's going to be data in a GET parameter in a URL, it needs
http://php.net/urlencode called FIRST, and then htmlentities.

If it's headed to XML, however, it should have some kind of XML
function called to wrap it into CDATA or a pre-defined data type /
format.

If it's headed out to Javascript, I think you want http://php.net/json

So, you've really got TWO phases:

filter input; escape output

Why it matters is that Evil People do exist, and they WILL find a way
to cause damage to you or even to others, if you fail to do this.

Common hacks include executing SQL to damage databases, or adding
Javascript to deface websites, or even adding Javascript to use YOUR
web-site in an attack upon another website.

Here is a good starting point for some of the details of what to do
and why:
http://phpsec.org/

ALSO

If some random 'net user can send POST data, and you just blindly spit
it out, with no filtering and no escaping, then, yes, that is
insecure.

There are all manner of nasty things that can be done to this setup by
other users.

Example:
They can send whatever POST data they want, which can include
JavaScript, which you blindly echo out, which can make your site
"look" like another site's login, but sends THEM the login info.

So now they are using your site as a dropbox in a phishing attack.

And that's just ONE example from a dozen.

</quote>

Cheers,


tedd

_______________
tedd sperling
tedd.sperling@gmail.com


---


> On Jul 22, 2016, at 2:19 PM, Stephen <[email protected]> wrote:
>
> I dug back to see where I git the idea of using htmlentities() on user input.
>
> This came from the book Modern PHP and deals with a user entering in a text box something like:
>
> <script>window.location.href='http://example.com';</script>
>
> Is there a better way of dealing with this?
>
>
> For context, I am creating a user registration field and there is a textarea field for their bio.
>
> Thank you!
>
> --
> Stephen
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Sorry, only registered users may post in this forum.

Click here to login