doubledee Posted June 9, 2012 Share Posted June 9, 2012 Another security question... Is there any reason why I would want to restrict what characters a User can use for a "Photo Label" which I am displaying using the TITLE attribute in the IMG tag?? Not sure if this is a possible "Attack Vector" or not?! Thanks, Debbie Quote Link to comment https://forums.phpfreaks.com/topic/263894-restrict-characters-in-title-attribute/ Share on other sites More sharing options...
requinix Posted June 9, 2012 Share Posted June 9, 2012 No security reason. Valid reasons could include length (don't want 1000-character-long tooltips) and cleanliness (HTML tags wouldn't look pretty). Quote Link to comment https://forums.phpfreaks.com/topic/263894-restrict-characters-in-title-attribute/#findComment-1352380 Share on other sites More sharing options...
doubledee Posted June 9, 2012 Author Share Posted June 9, 2012 No security reason. Valid reasons could include length (don't want 1000-character-long tooltips) and cleanliness (HTML tags wouldn't look pretty). Okay, I guess I better add Data validation for my "Photo Label". Thanks, Debbie Quote Link to comment https://forums.phpfreaks.com/topic/263894-restrict-characters-in-title-attribute/#findComment-1352382 Share on other sites More sharing options...
trq Posted June 9, 2012 Share Posted June 9, 2012 Like all data that is output to the browser however it also posses a potential xss threat. Quote Link to comment https://forums.phpfreaks.com/topic/263894-restrict-characters-in-title-attribute/#findComment-1352403 Share on other sites More sharing options...
requinix Posted June 9, 2012 Share Posted June 9, 2012 Like all data that is output to the browser however it also posses a potential xss threat. Right. I just focused on the user input side of things. Still have to escape it for the query, still have to escape it during output - same as always. Quote Link to comment https://forums.phpfreaks.com/topic/263894-restrict-characters-in-title-attribute/#findComment-1352409 Share on other sites More sharing options...
doubledee Posted June 9, 2012 Author Share Posted June 9, 2012 No security reason. Valid reasons could include length (don't want 1000-character-long tooltips) and cleanliness (HTML tags wouldn't look pretty). If I am using Prepared Statements, and I restrict the length like this... // ************************ // Validate Photo Label. * // ************************ if (empty($trimmed['photoLabel'])){ // No Photo Label. $photoLabel = ''; }else{ // Photo Label Exists. // Check Length. if (strlen($trimmed['photoLabel']) <= 40){ // Valid Label. $photoLabel = $trimmed['photoLabel']; }else{ // Invalid Label. $errors['photoLabel'] = 'Photo Label cannot exceed 40 characters.'; } }//End of VALIDATE PHOTO LABEL Then that should be all I need for handling input, right? And you guys are also saying I need to modify my output... <img src="/uploads/<?php echo validatePhoto($photoName, $photoApproved); ?>" width="100" alt="<?php echo 'Thumbnail of ' . $user ?>" title="<?php echo $photoLabel; ?>"/> ??? Debbie Quote Link to comment https://forums.phpfreaks.com/topic/263894-restrict-characters-in-title-attribute/#findComment-1352479 Share on other sites More sharing options...
Philip Posted June 9, 2012 Share Posted June 9, 2012 Like all data that is output to the browser however it also posses a potential xss threat. Quote Link to comment https://forums.phpfreaks.com/topic/263894-restrict-characters-in-title-attribute/#findComment-1352506 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.