Sanitizing Data

[cags]

I have a fairly standard 'Contact Us' section on a site and I just decided to scan it with the Security Compass XSS Me plugin. I was quite surprised to find that it failed many of the tests. The reason is fairly obvious now I think about it, if a user doesn't submit all fields the form is re-displayed to the user by using code like so...

 

<input name="forname" type="text" value="<?php if(isset($_POST['forname'])) { echo $_POST['forname']; } ?>" size="20" />

 

Basically I'm wondering if this would be considered a security hole? The data is sanitized using strip_tags and htmlentities before being placed in the e-mail. Because of that I'm fairly confident that the user can do nothing but XSS attack themselves. Should I worry about sanitizing this data or not? What's standard practice in this situation?

[PFMaBiSmAd]

The 'test' that XSS Me does is to check if what it submits is output on the resulting page.

 

A true test would be, does the submitted 'dangerous code' get saved somewhere on your site and is then output as content on a page so that other visitors to your site will end up having the dangerous code executed in their browser?

[cags]

Nope, the content doesn't get saved at all, it simply gets e-mailed. The e-mail is sent in HTML format so as stated before, I do call strip_tags and htmlentities on the inputs to check that they don't add unwanted data to the e-mail. The only place the unsanitized data ever gets output is when repopulating the fields on the page due to it failing validation in some way. Therefore the only browser it can ever be displayed in is the one belonging to the person who submitted the data originally.

 

I'm perfectly content for people to attempt to hack themselves I was just worried that this would be considered bad practice or could potentially lead to some unforseen problems.

[salathe]

I'm fairly confident that the user can do nothing but XSS attack themselves. Should I worry about sanitizing this data or not? What's standard practice in this situation?

First, worry about any and all user-submitted data.

 

Second, there is nothing stopping an attacker from creating a page which forwards a post request from a page on their site (or a site they control!) to your page. All an unsuspecting visitor needs to do is hit their page, get automatically forwarded to your site (with a nasty payload in the POST) and the attacker can do whatever they like (send the visitor's cookie data, log keystrokes, etc.).  All of this can happen, for example, in an invisible iframe and the visitor would not know a thing.

 

[cags]

Second, there is nothing stopping an attacker from creating a page which forwards a post request from a page on their site (or a site they control!) to your page. All an unsuspecting visitor needs to do is hit their page, get automatically forwarded to your site (with a nasty payload in the POST) and the attacker can do whatever they like (send the visitor's cookie data, log keystrokes, etc.).  All of this can happen, for example, in an invisible iframe and the visitor would not know a thing.

 

How?

 

Edit: Sorry let me quantify that. Yes I'm well aware a malicous user can create whatever HTML page that like that would submit to my form. But what could they possibly submit that could cause any malicious effect?