FAQ Database Discussion Community


How can I catch ngSantitize errors and display the html as escaped text

html,angularjs,sanitization,html-sanitizing
We are using AngularJS to try and display user entered content as HTML. Most of the time the users enter valid/safe data which we display correctly using ng-bind-html. Occasionally they enter invalid HTML which I would still like to display as the raw text. If I use ng-bind-html to attempt...

Should I implement user data sanitization/validation as middleware?

php,validation,middleware,slim,sanitization
I'm reimplementing my user management system with Slim, and I'm trying to figure out where I should do user data sanitization/validation. I've been reading about middleware, and I'm wondering if this is an appropriate way to implement data validation. My plan for validation is to use a validation schema (a...

Laravel HTML and SQL sanitisation

php,html,sql,laravel,sanitization
What are the appropriate ways to do HTML sanitisation and SQL sanitisation in Laravel 4?

Is this a good Sanitization function?

php,mysql,pdo,sanitization
Just want to say for all of my previous questions, thanks for helping me out with a few issues. Of course I'm a noob but learning is key. I'm making a function that sanitizes the input before it gets submitted into the query to make sure it is secure. These...

Sanitize and Highlight Text with HTML at the same time

php,html,sanitization
My web site offers a possibility to store user data and to search for it again. When searching, all data is being printed that contains the query. I want the matching substrings to be highlighted. In simplified terms I did it like this: function highlight_and_sanitize_search_result($data, $query){ $highlighted = str_replace( $query,...

Can an SQL injection be made with a single word in a SELECT statement?

php,mysqli,sql-injection,sanitization
Suppose you have a query looking like this: SELECT * FROM messages WHERE sender='clean_username' where the clean_username is received over get/post and sanitized like this: $clean_username = preg_replace( '/[^A-Za-z0-9_]+/m' , '', $dirty_username ); The above code removes any whitespace (among other things), which means that the valid_username parameter will always...

safest way to take user input, put it on database, and the output it using php [closed]

php,codeigniter,xss,sanitization,input-sanitization
this is the most confusing part i encountered today, i'm using codeigniter, but it's xss filter doesn't seem to work properly as we expect, so we tried using htmlentities while saving the data into the database, but i read somewhere, we should never change/edit the user inputed data into database,...

How to sanitize X-Editable value *before* editing?

javascript,twitter-bootstrap,sanitization,x-editable
I'm using X-Editable to give users the possibility to edit values inline. This works great, but I now want to use it for some money values which are localized in a "European way" (e.g.: € 12.000.000,00). When I click edit, I want the input to only contain 12000000 though. Is...

Is .text() safe or not to sanitize data? [JQuery]

jquery,json,sanitization
I've seen that this question has been asked elsewhere: Escaping HTML strings with jQuery The answer marked as correct by @travis says that .text() is fine. However, some people mentionned in the commentaries (e. g. @nivcaner and @lior) that this solution is not good. Where do we stand? Can I...

Putting unsanitized data in header() function

php,security,header,sanitization
Am I leaving my site vulnerable to attack by not filtering data inside a header redirect? For example: $foo = $_GET['foo']; header("Location: /bar.php?foo=$foo"); die(); if the answer is yes, what types of attacks are they, and is simply escaping the data with htmlentities a viable solution? $foo = $_GET['foo']; $foo...

Data validation / Sanitization callback function

wordpress,sanitization
I added a section to the customizer of my WP theme that allows a user to change which categories display on the first page of the theme. However, when checking with the Theme Check plugin, it returned the following error: REQUIRED: Found a Customizer setting that did not have a...

Sanitising a JSON String value in Java

java,json,escaping,sanitization,org.json
I need to accept a string from the user and put it as-is into a JSONObject. The documentation says strings may be quoted with ' but it seems obvious I've misunderstood. Is this sufficient or am I missing something? jsonObject.put("name", "'" + userInput + "'"); I stepped through the put...

Sanitizing url and parameters

validation,security,sanitization
Currently, my software has the following workflow User performs an search through a REST API and selects an item Server performs the same search again to validate the user's selection In order to implement step 2, the user has to send the URL params that he used for his search...

Is it safe to unescape ampersand for user input?

php,html,html-entities,sanitization
After a few hours of bug searching, I found out the cause of one of my most annoying bugs. When users are typing out a message on my site, they can title it with plaintext and html entities. This means in some instances, users will type a title with common...

How to validate and sanitize array of data in php?

php,arrays,validation,sanitization
I want to validate and sanitize data which comes from POST array. My POST data is something like this: Array ( [category_name] => fsdfsfwereq34 [subCategory] => Array ( [0] => sdfadsffasfasdf [1] => sdfasfdsafadsf [2] => safdfdasfas ) [category-submitted] => TRUE ) 1 I can validate and sanitize category_name and...

How to sanitize form values to allow text-only

coldfusion,sanitization,coldfusion-11,antisamy
I understand that if a user needs to supply HTML code as part of a form input (e.g. in a textarea) then I use an Anti-Samy policy to filter out the hazardous HTML that's not permitted. However, I have some text-fields and text-areas which should be text-only. No HTML code...