Hello, I'm in the process of creating a form submission page. In the mypage.tform.php I have this form definition. I copy it from help directory form definition file. PHP: 'message' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXTAREA', 'validators' => array ( 0 => array ( 'type' => 'NOTEMPTY', 'errmsg'=> 'message_is_empty'), ), 'default' => $query, 'value' => '', 'cols' => '30', 'rows' => '10', 'maxlength' => '255' ), My question is, how do ISPC filter database output to HTML?? When I paste javascript code Code: <script type="text/javascript">alert('Xss test');</script> in the input field, the message is stored in database without being filtered and being display in browser without being filtered in definition file. However I don't get any alert box message?? Where does the output filtering for for example Help Support Message happen?? Thanks in advance.
You must validate the vaue from the form yourself. Use an additional validator or check the values before update / submit.
Florian, I don't see any output filtering for 'message' in support_message.tform.php I copy and paste the form definition below: PHP: 'message' => array ( 'datatype' => 'VARCHAR', 'formtype' => 'TEXTAREA', 'validators' => array ( 0 => array ( 'type' => 'NOTEMPTY', 'errmsg'=> 'message_is_empty'), ), 'default' => '', 'value' => '', 'cols' => '30', 'rows' => '10', 'maxlength' => '255' ), You said to filter it. How does the code above filter message queried from db before being output it to web browser? I don't see any htmlspecialchars() being use? I hope you understand what I'm trying to convey...
AFAIK there is no filter when reading from the database- You can change the content before the settings are store in the databse. For the support-message it should be $message in support_message_edit.php You can also look at the master-brach in the git. There are several validations like $domain_name = rtrim($soa['origin'], '.'); in dns_dmarc_edit.php This example does not check the content but change the sumbmitted value. You can use regx to filter some chars.
htmlspecialchars is applid automatically to content of type text before it is parsed into the form file. See class tform.inc.php, function getHTML line 541: $new_record[$key] = htmlspecialchars($record[$key]); in the current stable version.
Yes, that's it. No wonder XSS doesn't worked when I test it. The field was filtered in other php file.