Hi there,
To what extent can users submit HTML?
I noticed that regular links (<a href> </a>) work, but html/head/body tags do not.
Also, are users restricted from submitting PHP/CSS/Javascript code through the form fields as well?
Thanks!
Hey,
Did you get an answer to this? Can you PM me with any response you got pls!?
Thanks
L
Sorry L,
I have not received a response to date.
I am nearly positive that only basic HTML will show up in the submitted results.
So far, my PHP code gets dropped from the results when the form submits,
same with javascript.
I'd imagine it's reasonably safe, although I'm suprised that no one confirmed this.
Hi Talysen,
ChronoForms will allow most code through as far as I know. Though it may well not display in an email or a web page unless you you escape it appropriately.
Generally allowing unescaped PHP, Scripts or MySql is not a good idea and Joomla! has some filters that can be used to prevent this.
If in doubt, test.
Bob
So what does that mean in regards to the security of chronoforms?
Could a malicious user use that to attempt to damage the website?
Hi Talaysen,
Only if your form design doesn't validate and filter the data submitted.
Bob
I'm assuming chronoform doesn't do this on it's own, then?
Hi Talaysen,
You assume correctly. ChronoForms has no way of knowing what kind of data you might want to have submited.
Bob
How would I go about filtering the form results to exclude php/scripts?
Would you consider this to be very advanced, or something that could be accomplished relatively easily?
I saw some that chronoforms has a validation feature, but I was unsure of how it works, is there an article that covers this information?
Thanks for all your responses bob. I've read alot of the information that you've posted on here, your input is always valuable.