3 Replies Latest reply on Jan 22, 2008 2:01 PM by Günter Schenk

    Validating Input/Formatting Output and general security.

      I'm looking for some general advice regarding securing my ADDT application. using the validation form behaviour should I be adding validation formats for all of the fields? at the moment I am validating phone number, zip codes and email addresses etc but not simple alpha-numerics like names and addresses. Should I be building a regular expression for these fields? I'm surprised they are not included as standard if that is the case? presumably if I don't add a validation format here then any input can be given including potential XSS vulnerabilities?

      Also I have a description input textarea using an RTE (Tiny_MCE) so obviously HTML must be allowed but how can I restrict certain tags and attributes like <script> "style" etc (Ideally a whitelist of tags would be preffered.

      Lastly when outputting data from the bindings tab should I be running any functions to secure the output? I've noticed KT_escapeAttribute() is being run to set default values for form fields. Should I be running this on all my output?

      Thanks folks.
        • 1. Re: Validating Input/Formatting Output and general security.
          Günter Schenk Level 4
          Hi Andrew,

          I´m using alpha or alpha-numeric regular expression all the time with regular input fields, and those regex´s are quite simple to create.

          ------
          I'm surprised they are not included as standard if that is the case?
          ------

          Well, simply because there is no "standard", all the more a german or italian name and address differs pretty much from a US address, and they also use additional chars which can´t be covered by e.g. the regular "a-zA-Z" regex.

          ------
          Also I have a description input textarea using an RTE (Tiny_MCE) so obviously HTML must be allowed but how can I restrict certain tags and attributes like ------

          ADDT form validation routines don´t work with RTE editors in general, because they can´t -- once you implement e.g. TinyMCE, the regular HTML textarea is "overwritten" with some IFRAME, means that ADDT considers the textarea empty. That said, you´ll have to impose the required restrictions by excluding certain stuff from the editor´s list of "allowed tags".

          Cheers,
          Günter Schenk
          Adobe Community Expert, Dreamweaver
          • 2. Re: Validating Input/Formatting Output and general security.
            Level 1
            Thanks Günter,

            ADDT form validation routines don´t work with RTE editors in general, because they can´t -- once you implement e.g. TinyMCE, the regular HTML textarea is "overwritten" with some IFRAME, means that ADDT considers the textarea empty. That said, you´ll have to impose the required restrictions by excluding certain stuff from the editor´s list of "allowed tags".

            Could I use the convert to XHTML feature of ADDT (I understand this uses Tidy) in this case?
            • 3. Re: Validating Input/Formatting Output and general security.
              Günter Schenk Level 4
              Andrew,

              ----
              Could I use the convert to XHTML feature of ADDT (I understand this uses Tidy) in this case?
              ----

              I strongly doubt that, because ADDT has no clue that a RTE editor has been added and what its "virtual IFRAME" contains -- all ADDT can handle, is the contents of the existing standard textarea, but this one remains empty when replacing it with whatever RTE editor.

              Cheers,
              Günter Schenk
              Adobe Community Expert, Dreamweaver