The MU forums have moved to WordPress.org

input kses.php modification (6 posts)

  1. Farms
    Member
    Posted 15 years ago #

    Heya,

    In the general consensus is there anything to be concerned about in terms of allowing 'input' tags through kses.php... i.e.

    'input' => array(
    			'name' => array(), 'maxlength' => array(),
    			'type' => array(), 'size' => array(),
    			'id' => array(), 'value' => array()
    			),

    Cheers, James

  2. JeremyVisser
    Member
    Posted 15 years ago #

    What did enabling <input /> tags allow you to do?

    I don't see it as dangerous, provided they're not allowed inside <form />s.

  3. Farms
    Member
    Posted 15 years ago #

    Hmmm... yeh... that's the issue, they're inside <form>s... what's the security implication there?

  4. mark-k
    Member
    Posted 15 years ago #

    IMHO None. If there is a security exploit available via a form, then it can be exploited by sending HTTP message with your favorite scripting language.

    I guess that the more important question is, do you intent to let your user write some code which will be executed at the server level (otherwise you probably don't need the form at all)?

  5. Farms
    Member
    Posted 15 years ago #

    Absolutely not, just to let them insert this into a post, page or (even better) widget:

    <form method="post" action="http://www.feedblitz.com/feedblitz.exe?BurnUser"><p><label for="email">Enter your email to subscribe:</label><br /><input name="email" maxlength="255" type="text" size="22" id="email" /><br /><input name="uri" type="hidden" value="xxxxxxxxxxxxx" /> <input type="submit" value="Subscribe me!" /></p></form>

  6. mark-k
    Member
    Posted 15 years ago #

    In this case I don't see any additional security risk being created, but I'm not a security professional , so please don't sue me if something goes wrong ;).

About this Topic