Hi,
I am developing a plugin. I need to put a longtext input in my plugin. But I worry about it, because a longtext input is a good place for XSS attack.
How can I use it securely ? If I use sanitise_string(get_input(inputname)) it will have problem with good html tags.
What you do in this situations?
info@elgg.org
Security issues should be reported to security@elgg.org!
©2014 the Elgg Foundation
Elgg is a registered trademark of Thematic Networks.
Cover image by Raül Utrera is used under Creative Commons license.
Icons by Flaticon and FontAwesome.
- ihayredinov@ihayredinov

ihayredinov - 0 likes
- hd@hdelgg

hd - 0 likes
- ihayredinov@ihayredinov

ihayredinov - 0 likes
You must log in to post replies.get_input() will do all the work, just keep htmlawed enabled.
If get_input() does it itself, what is the porpose of sanitise_string() ?
Elgg's API built in a way to protect you from XSS injections. All DB queries are sanitized by default, so unless you are writing a custom sql, you can bypass sanitizing.
get_input() will run user input through htmlawed and strip all unsafe tags, the rest will be sanitized before being added to the database.