How to prevent possible problems with requiring user textedit content?

I am in the process of creating a PHP generated webpage that allows a user to make changes to a form’s textedit element. The content will be “required” into a web-page!

Only HTML elements will be allowed.

Possible rejection reasons are the content contains any of the following:

  1. <?
  2. ?>
  3. <script
  4. </script>
  5. " style"

Is there anything else worthy of rejection?

Multitudes.

I’m assuming by “textedit element” you mean “textarea element”.

Many modern browsers have default security built in and enabled.
But not all.

If you are planning to output user supplied input you are venturing on very thin ice.

As a simple contrived example, try entering this into to the textarea.
<SCRIPT>alert("gotcha")</script>

<?php
declare(strict_types=1);
header("X-XSS-Protection: 0");
// header("Content-Security-Policy: 0");

error_reporting(E_ALL);
ini_set('display_errors', 'true');

$test_input = "";

if ($_SERVER['REQUEST_METHOD'] === "POST") {
  if(!empty($_POST['test_input'])) {
    $test_input = trim($_POST['test_input']);
  }
}
?>
<!DOCTYPE HTML>
<html lang="en">
<head>
<title>Textarea Sanitization test</title>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<style type="text/css">
</style>
</head>
<body>
<h1>Textarea Sanitization test</h1>
<div>
<form action=""; method="POST">
 <textarea id="test_input" name="test_input" rows="10" cols="50"></textarea>
 <input type="submit" value="Submit" />
</form>
 <h2>htmlspecialchars</h2>
 <div><?php echo htmlspecialchars($test_input); ?></div>
 <h2>strip_tags</h2>
 <div><?php echo strip_tags($test_input); ?></div>
 <h2>unsanitized html</h2>
 <div><?php echo $test_input; ?></div>
</div>
</body>
</html>
2 Likes

I’d consider the IFRAME tag because they can be used maliciously, as with SCRIPT. If you need editors to add 3rd party widgets that use IFRAME’s (like vide/map embeds) then use a separate field.

1 Like

Regret the delay it was due to a broken arm and the doctor reckoned I could not use the desktop for three months!

Is the following sufficient to sanatize users input?

<?php
  # https://www.sitepoint.com/community/t/how-to-prevent-possible-problems-with-requiring-user-textedit-content/246506/2
  declare(strict_types=1); // PHP 7 specific
  error_reporting(-1);
  ini_get('display_errors');
  ini_set('error_log', 'ERROR-LOG.php');

  header("X-XSS-Protection: 1");
  header("Content-Security-Policy: 1");

  # function fred($var='NOT SPECIFIED') {echo '<pre>'.var_dump($var) .'</pre>'; }

//========================================
function getSanitizedInput( & $problem='')
{
  $problem = '{background-color:#f0f0f0; color:#000;}';

  $result = '';
  if ($_SERVER['REQUEST_METHOD'] === "POST"):
    if( isset($_POST['test_input']) ):
      $result = ' ' .$_POST['test_input'];
      $result = strtolower($result);
      if( strpos( $result, '<script') 
        || 
          strpos( $result, '<?php') 
        || 
          strpos( $result, '<style') 
        || 
          strpos( $result, '<frame') 
        || 
          strpos( $result, '<iframe') 
       ):
        $result  = "PROBLEM: \n\t" . strip_tags( $_POST['test_input'] );
        $problem = '.problem {background-color:#ff0; color:#f00; font-weight:700;}';
      else:
        $result = trim($_POST['test_input']);
      endif;  
    endif;  
  endif;  

  return $result;
}// func getSanitizedInput();


$test_input = getSanitizedInput( $problem );

?><!DOCTYPE HTML>
<html lang="en">
<head>
<title>Textarea Sanitization test</title>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<style type="text/css">
  body {background-color: #f9f9f9;}
  dl dd {margin-left:0px;}
  <?= $problem; ?>
  .test_input {width:88%; height: 12em;} 
  .lstn {list-style-type:none;}
  .lh2  {line-height: 1.42;}
  .ooo  {margin:0; padding:0;}
  .red  {color:red;}
  .tac  {text-align:center;} .tal {text-align: left;}
</style>
</head>


<body>
<h1>Textarea Sanitization test</h1>
<dl class="ooo">
  <dt> Try these (should produce an error): </dt>
  <dd>
    <ul class="lstn lh2">
      <li><?= htmlentities('<SCRIPT>alert("gotcha")</script>'); ?></li>
      <li><?= htmlentities('<STYLE'); ?></li>
      <li><?= htmlentities('<?'); ?></li>
      <li><?= htmlentities('<FRAME'); ?></li>
      <li><?= htmlentities('<iframe'); ?></li>
     </ul> 
  </dd>
</dl>

<div class="tac" >
  <?php $_POST = []; ?>

  <form 
    action="index-POSSIBLE_PROBLEMS.php" 
    onsubmit="return validateForm()" 
    method="post">
    <fieldset class="tal">
      <label>Please input body script (without &lt;body&gt; or &lt;/body&gt;)</label>
      <textarea 
        class="problem  test_input" 
        name="test_input"><?= $test_input; ?></textarea>
        <br>
      <input type="submit" value="Submit" />
    </fieldset>
  </form>
</div>

<?php if($test_input || strip_tags($test_input) ): ?>
  <div class="tal">
    <h2>htmlspecialchars</h2>
    <div>  <?= htmlspecialchars($test_input); ?> </div>

    <h2>strip_tags</h2>
    <div> <?= strip_tags($test_input); ?> </div>

    <h2>unsanitized html</h2>
    <div> <?= $test_input; ?> </div>
  </div>

<?php else: echo '<b class="red">YES WE HAVE NO $test_input</b>'; endif ?>  

</body>
</html>

##Is there anything else I may have forgotten?

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.