Forums

User-submitable HTML

Talaysen 22 Jun, 2010
Hi there,

To what extent can users submit HTML?
I noticed that regular links (<a href> </a>) work, but html/head/body tags do not.
Also, are users restricted from submitting PHP/CSS/Javascript code through the form fields as well?


Thanks!
ashyuk 29 Jun, 2010
Hey,

Did you get an answer to this? Can you PM me with any response you got pls!?

Thanks
L
Talaysen 29 Jun, 2010
Sorry L,
I have not received a response to date.

I am nearly positive that only basic HTML will show up in the submitted results.
So far, my PHP code gets dropped from the results when the form submits,
same with javascript.

I'd imagine it's reasonably safe, although I'm suprised that no one confirmed this.
GreyHead 30 Jun, 2010
Hi Talysen,

ChronoForms will allow most code through as far as I know. Though it may well not display in an email or a web page unless you you escape it appropriately.

Generally allowing unescaped PHP, Scripts or MySql is not a good idea and Joomla! has some filters that can be used to prevent this.

If in doubt, test.

Bob
Talaysen 30 Jun, 2010
So what does that mean in regards to the security of chronoforms?
Could a malicious user use that to attempt to damage the website?
GreyHead 30 Jun, 2010
Hi Talaysen,

Only if your form design doesn't validate and filter the data submitted.

Bob
Talaysen 30 Jun, 2010
I'm assuming chronoform doesn't do this on it's own, then?
GreyHead 01 Jul, 2010
Hi Talaysen,

You assume correctly. ChronoForms has no way of knowing what kind of data you might want to have submited.

Bob
Talaysen 07 Jul, 2010
How would I go about filtering the form results to exclude php/scripts?
Would you consider this to be very advanced, or something that could be accomplished relatively easily?
I saw some that chronoforms has a validation feature, but I was unsure of how it works, is there an article that covers this information?

Thanks for all your responses bob. I've read alot of the information that you've posted on here, your input is always valuable.
GreyHead 07 Jul, 2010
Hi Talaysen,

You can do it in the OnSubmit Before Email box using the Joomla JRequest code docs here


Bob
This topic is locked and no more replies can be posted.