Jump to content

Recommended Posts

Another security question...

 

Is there any reason why I would want to restrict what characters a User can use for a "Photo Label" which I am displaying using the TITLE attribute in the IMG tag??

 

Not sure if this is a possible "Attack Vector" or not?!

 

Thanks,

 

 

Debbie

 

Link to comment
https://forums.phpfreaks.com/topic/263894-restrict-characters-in-title-attribute/
Share on other sites

Like all data that is output to the browser however it also posses a potential xss threat.

Right. I just focused on the user input side of things. Still have to escape it for the query, still have to escape it during output - same as always.

No security reason. Valid reasons could include length (don't want 1000-character-long tooltips) and cleanliness (HTML tags wouldn't look pretty).

 

If I am using Prepared Statements, and I restrict the length like this...

 

	// ************************
	// Validate Photo Label.	*
	// ************************
	if (empty($trimmed['photoLabel'])){
		// No Photo Label.
		$photoLabel = '';

	}else{
		// Photo Label Exists.
		// Check Length.
		if (strlen($trimmed['photoLabel']) <= 40){
			// Valid Label.
			$photoLabel = $trimmed['photoLabel'];
		}else{
			// Invalid Label.
			$errors['photoLabel'] = 'Photo Label cannot exceed 40 characters.';
		}
	}//End of VALIDATE PHOTO LABEL

 

Then that should be all I need for handling input, right?

 

 

And you guys are also saying I need to modify my output...

<img src="/uploads/<?php echo validatePhoto($photoName, $photoApproved); ?>" width="100" 
		 alt="<?php echo 'Thumbnail of ' . $user ?>"
		 title="<?php echo $photoLabel; ?>"/>

 

???

 

 

Debbie

 

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.