PHP & Security

Forum Moderators: coopster

Message Too Old, No Replies

PHP & Security

How to "clean" user submitted data

nfs2

11:31 pm on Feb 17, 2006 (gmt 0)

So my site is a social site like myspace/livejournal etc. That means there are lots of feilds for users to input data. I use bbcode for blog posting and strip html from text feilds.

The thing is, like myspace and livejournal, i will allow users to edit their layouts by directly editing the HTML of their profile/blog. My question is, is there a way to do this safeley?

I figure if myspace can do it without problems, there must be a way.

DrDoc

4:16 am on Feb 18, 2006 (gmt 0)

One important thing to remember is to determine beforehand what you will allow, then nuke the rest. Doing it the other way (try to get rid of posted data which may be considered "harmful") you are bound to overlook something, which can then subsequently be abused (and possibly used to hack your site).

pinterface

6:59 am on Feb 18, 2006 (gmt 0)

In addition to what DrDoc said, always sanitize your data on output. That way, when something malicious does get through, it will be nuked once your cleaner has been modified to account for it.

If you intend to allow user layouts to contain CSS, you'll also want to parse and clean their stylesheets. -moz-binding, for instance, recently caused LiveJournal a rather large amount of hassle, and IE is wont to handle javascript: URIs wherever they appear, including CSS.

PHP & Security

How to "clean" user submitted data

nfs2

DrDoc

pinterface

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week