Geek Answers Handbook

Is it safe to display user input as input without disinfection?

Let's say we have a form in which the user enters various information. We check the information and find that something is wrong. Missing field, invalid email address, etc.

When you show the form to the user again, I certainly do not want him to enter everything again, so that I would like to fill in the input fields. Is it safe to do this without disinfection? If not, what is the minimum sanitation that must be done first?

And clean: it, of course, will be disinfected before, for example, it is added to the database or displayed elsewhere on the site.

+6
html security xss user-input
source share
4 answers

No, it is not. The user can be directed to the form from a third-party site or simply enter data (innocently) that could break the HTML.

Convert any character with a special value to its HTML object.

i.e. from & to &amp; , from < to &lt; , > to &gt; and " before &quot; (assuming you separate your attribute values โ€‹โ€‹with " , not ' .

In Perl use HTML :: Entities , in TT use html , in PHP use htmlspecialchars . Otherwise, find something similar in the language you are using.

+8
source share

This is not safe, because if someone can force the user to submit certain data to your form, you will output it and it will be โ€œexecutedโ€ by the browser. For example, if a user is forced to send '/><meta http-equiv="refresh" content="0;http://verybadsite.org" /> , an unwanted redirect will result.

+1
source share

You cannot embed user-provided data in an HTML document without first coding it. Your goal is to ensure that the structure of the document cannot be changed and that the data is always treated as data values โ€‹โ€‹and is never HTML markup or Javascript code. Attacks on this mechanism are commonly known as cross-site scripting or simply โ€œXSSโ€.

If you insert an HTML attribute value in the attribute, you must ensure that the string cannot cause the attribute value to end prematurely. You must also, of course, make sure that the tag itself cannot be completed. You can achieve this by HTML encoding any characters that are not guaranteed to be safe.

If you write HTML so that the value of the tag attribute appears inside a pair of characters with a double quote or a single quote, you only need to make sure that you are html-encoding the quote character that you have chosen to use. If you incorrectly specify your attributes as described above, you need to worry about many other characters, including spaces, characters, punctuation, and other ascii control characters. Although, to be honest, it's probably safer to encode these non-alphanumeric characters anyway.

Remember that the value of an HTML attribute can appear in three different syntactic contexts:

Double-quoted attribute value

 <input type="text" value="**insert-here**" />

All you need to do is encode the double quote character for a suitable HTML safe value, for example &quot;

Single quote attribute value

 <input type='text' value='**insert-here**' />

You only need to encode the single quote character to a suitable HTML safe value, for example &#145;

Value without quotes

 <input type='text' value=**insert-here** />

You should never have a html tag attribute value without quotes, but sometimes this is not subject to control. In this case, we really need to worry about spaces, punctuation, and other control characters, as they will knock us out of the attribute value.

With the exception of alphanumeric characters, avoid all characters with ASCII values โ€‹โ€‹less than 256 with the format &#xHH; (or named entity, if available) to prevent the transition from the attribute. Unquoted attributes can be broken into many characters, including [space] % * + , - / ; < ^ and | (and more). [para removed from OWASP]

Remember that the above rules only apply to control injections when pasting an HTML attribute into a value. In other areas of the page, different rules apply.

See the XSS Security Bypass in OWASP for more information.

+1
source share

Yes, it is safe, of course, of course, that you are correctly encoding the value.

The value placed inside the attribute in HTML must be encoded in HTML. The server-side platform must have methods for this. In ASP.NET, for example, there is a Server.HtmlEncode method, and the TextBox control automatically encodes the value that you put in the Text property.

0
source share

More articles:


All Articles