[thelist] What to watch for when you allow external text to be included in your page?

John Corry john at neoncowboy.com
Wed Nov 28 18:08:00 CST 2001


|Hello,
|I'd like to know what to watch for when I will make an external
|input part of my
|html page ?

Anything that will break the surrounding HTML. Like, if for some reason your
file that you include in your HTML document/output had a </td> in it (or any
partial HTML), that could interfere with the HTML in the containing
document.

The htmlspecialchars() function might be a good thing:
http://www.php.net/manual/en/function.htmlspecialchars.php
|
|My situation is that I dynamically generate an IMG tag with PHP,
|the SRC and ALT attributes are filled with data from a database

OK...that's a piece o' cake

|
|So I would like to know what to watch for before entering the data in the
|database.

Hm, if its a string, it'll get stored in single quotes. Make sure you strip
the quotes. I have some code where I'm doing the same thing and I use the
stripslashes() function:
http://www.php.net/manual/en/function.stripslashes.php

|
|(I am thinking of some sort of server include, althought I don't
|know well the
|syntax used for them, but surely others know and could try)
|for exemple, would something like this be a threat (assume I know
|nothing of the
|syntax) ?
|<IMG SRC=http://www.server.com/image.gif
|ALT="<!exec='/erase -everything -onServer'>" width="80">
|

Be careful what you put in the field that you draw alt="" text from. If that
field has a ">" in it, the <img) tag you are writing the alt="" text into
will be ended by that ">". I dunno what'd happen if you did
htmlspecialchars() on it...if the character entities would print or
translate when included as alt="" text...In IE 6, alt="&gt;" renders an
images alt="" text as a ">", ymmv.





More information about the thelist mailing list