After I sent my response last night, I was thinking more about the fact that
the HTTP_REFERER is technically a form of user input since it's sent by the
user's browser (in my understanding). For this reason, it should probably be
filtered before used anywhere in the application to prevent SQL injection
(not relevant in this example) or XSS. I can't think of a scenario where an
XSS vulnerability could actually occurr using the HTTP_REFERER, but the fact
remains that it's user input and should not be trusted because it can be
tampered with. I'm not sure exactly what filter should be used, but
something that makes sure it contains only a valid URL.
On Tue, Sep 30, 2008 at 11:02 PM, Matthew Weier O'Phinney
<[EMAIL PROTECTED]>wrote:
> -- Matthew Ishii <[EMAIL PROTECTED]> wrote
> (on Tuesday, 30 September 2008, 07:13 PM -0700):
> > I am not sure if this has been brought up before (though most likely
> > it has) however I will anyway, I am having issues validating my pages
> > against the W3C webstandards for proper HTML markup. I am using the
> > XHTML1_STRICT Doctype.
> >
> > It seems like the phtml webpage format is having difficulties working
> > with the standards, for example, I have a 'back' link that is using
> > the SERVER 'HTTP_REFERER' variable to direct users to the last visited
> > page. When I attempt to validate the page with the following markup,
> > I receive the following errors:
> >
> > Markup -
> >
> > <p class="padded_paragraph"><a href="<?php echo
> > $_SERVER['HTTP_REFERER'] ?>" class="bold">Back</a></p>
> >
> > Error(s) -
> >
> > Line 92, Column 37: character "<" is the first character of a
> > delimiter but occurred as data.
> >
> > Warning Line 93, Column 9: character "<" is the first character of a
> > delimiter but occurred as data.
> >
> > <b>Notice</b>: Undefined index: HTTP_REFERER in
> <b>/home1/ioforgec/zend/applic
> >
> > What I find strange is the notice, that the validation service catches
> > in the source, but when viewed by me in the browser and when viewed in
> > the post-rendered source I dont see such a notice. I suppose the
> > HTTP_REFERER is not set for a robotic user, which is what the
> > validation service must be manifesting as to my application. But how
> > can I prevent this from causing the page not to validate?
>
> A couple things I see here. First, what are you validating? the .phtml
> file itself, or a page that renders that view script? Second, yes,
> HTTP_REFERER is something that may or may not be present based on the
> current request environment
>
> I'd suggest creating a view helper that generates the backlink; you
> could then add some logic in the helper to check for the existence of
> the key, and if not present, simply emit an empty string or an anchor.
> It might look like this:
>
> class My_View_Helper_BackLink extends Zend_View_Helper_Abstract
> {
> public function backLink()
> {
> $link = '#';
> if (array_key_exists('HTTP_REFERER', $_SERVER)) {
> $link = $_SERVER['HTTP_REFERER'];
> }
> return '<a href="' . $link . '" class="bold">Back</a>';
> }
> }
>
> --
> Matthew Weier O'Phinney
> Software Architect | [EMAIL PROTECTED]
> Zend Framework | http://framework.zend.com/
>
--
Bradley Holt
[EMAIL PROTECTED]
