Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is it safe to display user input as input values without sanitization?

Say we have a form where the user types in various info. We validate the info, and find that something is wrong. A field is missing, invalid email, et cetera.

When displaying the form to the user again I of course don't want him to have to type in everything again so I want to populate the input fields. Is it safe to do this without sanitization? If not, what is the minimum sanitization that should be done first?

And to clearify: It would of course be sanitized before being for example added to a database or displayed elsewhere on the site.

like image 529
Svish Avatar asked Mar 16 '10 10:03

Svish


1 Answers

No it isn't. The user might be directed to the form from a third party site, or simply enter data (innocently) that would break the HTML.

Convert any character with special meaning to its HTML entity.

i.e. & to &amp;, < to &lt;, > to &gt; and " to &quot; (assuming you delimit your attribute values using " and not '.

In Perl use HTML::Entities, in TT use the html filter, in PHP use htmlspecialchars. Otherwise look for something similar in the language you are using.

like image 177
Quentin Avatar answered Sep 19 '22 11:09

Quentin