1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Sanitizing The Contact Form : Required?

Discussion in 'XenForo Development Discussions' started by TheBigK, Sep 15, 2015.

  1. TheBigK

    TheBigK Well-Known Member

    I'm wondering if one should really bother about sanitizing the inputs from the contact us form? Looking at XenForo's actionContact(), it doesn't seem to check if the input contains anything malicious. Since the stuff is directly being passed to the mail handler, is it really worth sanitizing the contact us form?

    If yes, what inbuilt functions / methods are employed to ensure inputs are all safe?
     
  2. Snog

    Snog Well-Known Member

    I could be wrong, but I believe the inputs are filtered (sanitized)..
    Code:
    $input = $this->_input->filter(array(
             'subject' => XenForo_Input::STRING,
             'message' => XenForo_Input::STRING
           ));
    
    That should strip out control characters and other items. Take a look at the XenForo_Input class for more info.

    Anything else I would think would be handled by the server virus scanner and the end user's virus scanners.
     
  3. TheBigK

    TheBigK Well-Known Member

    Thank you @Snog . I'm however not sure if the 'filter' would actually filter or sanitize the input information. Can someone confirm this?
     
  4. Lawrence

    Lawrence Well-Known Member

    By filter and sanitize do you mean remove code, like: <script> blah blah blah</script>? If so, then it doesn't for the contact us form. Which should not be a concern as email clients won't process this in the body anyways.

    IMO, it is not worth sanitizing as I want to see what malicious code someone is trying to send, and then why.
     
  5. Zenexer

    Zenexer Active Member

    @TheBigK The template engine takes care of escaping all HTML. If you escape it first, then it's going to get double-escaped, and you'll have emails that look like &lt;span class=&quot;banana&quot;&gt;this&lt;span&gt;.

    Because you have a contact form.
     

Share This Page