How to use longtext input securely? : Elgg.org

How to use longtext input securely?

By hd 4249 days ago

Hi,

I am developing a plugin. I need to put a longtext input in my plugin. But I worry about it, because a longtext input is a good place for XSS attack.

How can I use it securely ? If I use sanitise_string(get_input(inputname)) it will have problem with good html tags.

What you do in this situations?

- ihayredinov@ihayredinov
ihayredinov 4249 days ago
- 0 likes
get_input() will do all the work, just keep htmlawed enabled.
- hd@hdelgg
hd 4249 days ago
- 0 likes
If get_input() does it itself, what is the porpose of sanitise_string() ?
- ihayredinov@ihayredinov
ihayredinov 4249 days ago
- 0 likes
Elgg's API built in a way to protect you from XSS injections. All DB queries are sanitized by default, so unless you are writing a custom sql, you can bypass sanitizing.
get_input() will run user input through htmlawed and strip all unsafe tags, the rest will be sanitized before being added to the database.