Should HTML ever be allowed as user input?

AliceH

Should users ever be allowed to post html?
I think it's a big security risk.

And if this is the case then why do most applications perform htmlspecialchars when printing the data? Why not just do this:

if($POST) // or get, cookie
{
1. check if gpc is off, if so addslashes
2. then perform htmlspecialchars(trim($POST))
}

This will eliminate the constant need of perfoming htmlspecialchars on every global that's about to be displayed.

And then of course perform stripslashes before printing.

It just seems to me that an application might run slightly faster this way( use htmlspecialchars only once ).

AliceH

bump 🙁

laserlight

the downside is that if you expect html tags to be included, say in a certain content management system, then displaying that way could mean a higher storage requirement.

Conversely, if you did want to display the html, then you have to do the reverse operation.

There is a trade-off as such.

AliceH

Originally posted by laserlight
the downside is that if you expect html tags to be included, say in a certain content management system, then displaying that way could mean a higher storage requirement.

I'm sorry I don't fully understand what you mean by this.
Why could it mean a higher storage requirement?

Because '<' is 4 characters? (so it adds up?)
do you suggest using striptags first? and then htmlspecialchars (to rid of xss attacks)?

laserlight

If you strip out the tags, then there's no point in using htmlspecialchars()

Arc

WEll depending on the application I wouldn;t worry about it. Unless it's really high security stuff. htmlspecialchars works just fine.