html5 pattern versus htmlspecialchars and related questions

Security issues related to php and mysql usage. How to make your code secure? Security measures and configurations? It's all in here!

Moderators: gesf, Michalio

Post Reply

Do I need to sanitize data coming from an input element (e.g., text) that has a pattern attribute that blocks script tags, like < and > and quote characters? I am not seeing any reference on the web relating using the html5 pattern attribute to intercept cross site scripting injection attacks.

What about data coming from an input element (e.g., text) that is headed to a database column that's only 11 characters wide? It would seem no matter was injected, 11 characters wouldn't be enough to do anything other than replace the valid data that would have gone there?

If data is coming back from the database, do I need to re-sanitize it? If the anwer is yes, then it should it apply to *every* value= ? even ones with the pattern attribute blocking as I indicated above.

Never trust user input.

Always validate it. (make sure you get what you expect, date, name, number etc..)

Setting HTML attributes cannot make sure you will be sent correct data.

No version of HTML will stop cross site scripting, it cannot.

There is a lot of regurgitated rubbish on the internet along with some good advice so you'll have to do a lot of reading to understand how your site can be attacked and how to prevent it - understand is the key word. htmlspecialchars and using prepared statements when storing data in you database is a start, but never assume that you are completely safe, things change.
Post Reply