html5 pattern versus htmlspecialchars and related questions

Security issues related to php and mysql usage. How to make your code secure? Security measures and configurations? It's all in here!

Moderators: egami, macek, gesf

Post Reply
mauricev
New php-forum User
New php-forum User
Posts: 1
Joined: Sun Aug 16, 2020 4:18 pm

Sun Aug 16, 2020 4:35 pm

Do I need to sanitize data coming from an input element (e.g., text) that has a pattern attribute that blocks script tags, like < and > and quote characters? I am not seeing any reference on the web relating using the html5 pattern attribute to intercept cross site scripting injection attacks.

What about data coming from an input element (e.g., text) that is headed to a database column that's only 11 characters wide? It would seem no matter was injected, 11 characters wouldn't be enough to do anything other than replace the valid data that would have gone there?

If data is coming back from the database, do I need to re-sanitize it? If the anwer is yes, then it should it apply to *every* value= ? even ones with the pattern attribute blocking as I indicated above.
User avatar
hyper
php-forum GURU
php-forum GURU
Posts: 1190
Joined: Mon Feb 22, 2016 5:52 pm

Mon Aug 17, 2020 9:37 am

Never trust user input.

Always validate it. (make sure you get what you expect, date, name, number etc..)

Setting HTML attributes cannot make sure you will be sent correct data.

No version of HTML will stop cross site scripting, it cannot.

There is a lot of regurgitated rubbish on the internet along with some good advice so you'll have to do a lot of reading to understand how your site can be attacked and how to prevent it - understand is the key word. htmlspecialchars and using prepared statements when storing data in you database is a start, but never assume that you are completely safe, things change.
Post Reply