trlists@xxxxxxxxxx wrote:
I am a consultant developing a PHP-based site (fully operational now,
we're adding some new features).
One thing I need to do is allow resellers of my client's services to
edit HTML which will then be used on the web pages their customers see.
In other words they get to customize the appearance of their portion of
the site. Most of the data entry involved is stuff where they plug in
some data and I create the HTML with it -- stuff like colors and
titles. But in some cases I need to allow them to enter HTML code
themselves.
I am currently running the code through htmlentities() before
displaying it in the form field for them to edit. The _POST data is
run through trim(), then substr() to limit the length, then
html_entity_decode(), before doing any further processing. We also use
strip_tags() on all fields in _POST except the HTML data, and
everything that goes into the database is run through
mysql_real_escape_string().
Do these methods seem reasonably secure? Am I missing something? The
risk is minimized by the fact that the HTML the user enters is
displayed to their own customers, whom they presumably don't want to
attack (and if they did they could just do it on their own web site).
But I still want to avoid as many opportunities as possible for either
inadvertent or deliberate errors to cause trouble.
something that springs to mind...
<script>
<!--
function EvilHaxtorAreGo()
{
// ... yadda yadda
}
window.onload = EvilHaxtorAreGo;
//-->
</script>
Thanks for any comments,
--
Tom
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php