Re: [fw-general] Zend_Filter_StripTags question

Hector Virgen Wed, 30 Jun 2010 10:24:33 -0700

Generally, any data coming from the user should be treated as dirty,
unsanitary, and filthy. You can even go so far as to assume it has cooties.

With that in mind, it's always a good idea to filter incoming data. If
you're expecting a number (such as page number), cast it to int. If you're
expecting a string (such as username or e-mail address), run it through an
appropriate filter.

But if you're accepting a string and worried about it being executed as PHP
code, that's only possible if you eval() the code at some point. Just
echoing PHP code won't be harmful:

$code = 'some_evil_function();';
echo $code; // no harm done
eval($code); // bad things will happen

The same principal applies to HTML, or more specifically, Javascript. If the
user specifies their username as '<script type="text/javascript">alert('you
got hacked');</script>", then you obviously don't want to echo that directly
into the HTML. But instead of filtering out HTML, you should pass the value
to the escape view helper from within your view script:

<div class="username"><?= $this->escape($this->username) ?></div>

This ensures that any character that can be treated as an HTML special
character (<, >, ", etc...) is converted into an entity (&lt;, &gt;, &quot;,
etc.)

The only time I use the StripTags filter is when I'm accepting (read:
expecting) HTML from the user. For example, from a WYSIWYG editor like a
comment form. Since I need to echo out the user's HTML *without* escaping, I
always run it through the StripTags filter as well as through Tidy when
submitted.

So, to answer your question, yes, HTML and/or PHP code can be passed in from
the user through a GET request, but unless you're allowing the code to
execute it shouldn't be a problem.

--
Hector

On Wed, Jun 30, 2010 at 2:15 AM, debussy007 <[email protected]> wrote:

>
> Hi,
>
> I've always used Zend_Filter_StripTags to get the POST values from a form.
> I was just wondering if it makes any sense to use it to get params (from
> the
> url).
> e.g. $lang = $this->_getParam('lang');
> Could someone stick html or php code in a URL ...
>
> Thank you!
> --
> View this message in context:
> http://zend-framework-community.634137.n4.nabble.com/Zend-Filter-StripTags-question-tp2272694p2272694.html
> Sent from the Zend Framework mailing list archive at Nabble.com.
>

Re: [fw-general] Zend_Filter_StripTags question

Reply via email to