Saving Textarea fields with HTML tags: sanitizer & escaping questions

[Peter Falkenberg Brown]

Hi All,

I'm stumped by the right (safe) way to save textarea fields, via the API, and allow HTML tags and programming code.

I'm creating a help ticket system that requires that type of content, that will display the codes in 'view' mode, not the result of the code.

I've noted that the PW backend saves that type of content perfectly well, but I haven't been able to find the admin code in the core files, to copy the method of saving.

* When I used the sanitizer->textarea function, it stripped out the code, and the option to list allowed tags would have been very long.

* I noticed an option in the core files for 'stripTags' => false, but it was ignored when I tried that.

* When I did a str_replace on single quotes, with backslashes, it just added extra backslashes.

* When I used: $field_value = $db->real_escape_string($input->post->$field_name); it escaped line breaks, which I don't want.

* Finally, when I simply saved the field without any escaping or sanitizing, it worked perfectly, even with single quotes in the text, but I somehow assumed that I should do something more secure than that.

(and of course I'm using htmlentities on the 'view' mode)

I read Ryan's post about SQL injections being a non-issue in PW, but there are also numerous posts about using sanitizer, and some about escaping single quotes.

So... is it safe enough to not use sanitizer->textarea, or is there something I'm missing?

Thanks,

Peter

[SiNNuT]

I haven't got time to look into how Ryan exactly handles the database stuff, but i'm assuming that since PW uses PDO, prepared statements and bound parameters are used for saving stuff to the database. This means you can safely store 'code' as is and not be vulnerable to SQL injection.

For the the display part htmlentities could be enough but this is not always the case and depends on how you implement it. Some further reading, for example:

https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet

[ryan]

* Finally, when I simply saved the field without any escaping or sanitizing, it worked perfectly, even with single quotes in the text, but I somehow assumed that I should do something more secure than that.

If you are populating this data to a PW textarea field, then it's going to take care of ensuring the data is sanitized for storage in the DB. You don't need to do that. However, what you need to be concerned about is outputting that data. That data could contain stuff that may be perfectly safe for DB storage, but is full of XSS when presented to the user. If you need to allow markup from untrusted users, your best bet is to sanitize with HTML Purifier. We also have a MarkupHTMLPurifier module for ProcessWire. You would simply run it through HTML Purifier before populating to the PW page field, and that would have the effect of removing markup which could be considered problematic or insecure.

Another alternative is to use a restricted LML, like Textile Restricted or BBCode. But of course your users would have to use that LML rather than HTML, which may or may not be desirable.

[Peter Falkenberg Brown]

Dear Ryan,

Thank you for this clarification! I'm using MarkupHMTLPurifier, which works very well.

I appreciate your help.

Peter