Heya,
In the general consensus is there anything to be concerned about in terms of allowing 'input' tags through kses.php... i.e.
'input' => array(
'name' => array(), 'maxlength' => array(),
'type' => array(), 'size' => array(),
'id' => array(), 'value' => array()
),
Cheers, James
What did enabling <input />
tags allow you to do?
I don't see it as dangerous, provided they're not allowed inside <form />
s.
Hmmm... yeh... that's the issue, they're inside <form>
s... what's the security implication there?
IMHO None. If there is a security exploit available via a form, then it can be exploited by sending HTTP message with your favorite scripting language.
I guess that the more important question is, do you intent to let your user write some code which will be executed at the server level (otherwise you probably don't need the form at all)?
Absolutely not, just to let them insert this into a post, page or (even better) widget:
<form method="post" action="http://www.feedblitz.com/feedblitz.exe?BurnUser"><p><label for="email">Enter your email to subscribe:</label><br /><input name="email" maxlength="255" type="text" size="22" id="email" /><br /><input name="uri" type="hidden" value="xxxxxxxxxxxxx" /> <input type="submit" value="Subscribe me!" /></p></form>
In this case I don't see any additional security risk being created, but I'm not a security professional , so please don't sue me if something goes wrong ;).