[RESOLVED] security in text areas

system_critical

So I have a general security question considering what to allow in a text area input in the profile section of a web application I'm building. I have stripped the html from the text areas completely except for the contact section in which I have allowed the <a> tag. I was curious what would be the best way to allow users to include links, to say their webpage, without creating too great of a security risk. Also, in general what are some good characters to remove from text areas in general? I know generally speaking in programming security the least allowance is the best, but I'd like to give as much as I can to my users. The content of these areas are going to my database. Thanks for any suggestions. I really appreciate it.

dagon

assuming its going in to and out of a db, you really only need mysql_real_escape_string

laserlight

system_critical wrote:
I have stripped the html from the text areas completely except for the contact section in which I have allowed the <a> tag.

I suppose you are using strip_tags(), and be warned that client side scripting can still be embedded into the links. Another concern is that strip_tags() errs on the side of safety, which means that legitimate text can be mistaken for HTML tags and thus removed.

system_critical wrote:
I was curious what would be the best way to allow users to include links, to say their webpage, without creating too great of a security risk. Also, in general what are some good characters to remove from text areas in general?

I consider it better to use [man]htmlspecialchars/man or [man]htmlentities/man instead of strip_tags() in conjunction with some kind of bbcode, e.g., by using regular expressions or the bbcode extension.

EDIT:
If you are talking not about displaying the text but about storing it in a database, then yes, dagon's advice is sound, except that you should use the appropriate escaping mechanism, not blindly use mysql_real_escape_string().

system_critical

Thank you both. That was very helpful.