sanitization

Is there a way to safely sanitize path input, without using realpath() ? Aim is to prevent malicious inputs like ../../../../../path/to/file $handle = fopen($path . '/' . $filename, 'r'); Not sure why you wouldn't want to use realpath but path name sanitisation is a very simple concept, along the following lines: If the path is relative (does not start with / ), prefix it with the current working directory and / , making it an absolute path. Replace all sequences of more than one / with a single one (a) . Replace all occurrences of /./ with / . Remove /. if at the end. Replace /anything/../

I'm trying to sanitize any data that's inputted by making sure the data is valid for a particular field (e.g. a name can't contain special characters/numbers etc..) However, I'm not sure what to do when it comes to a password field. Would I even need to bother with any sanitization as the password is simply hashed? If the user was to inject anything malicious via the password textbox, should I bother checking for anything suspicious? AFAIK, some users may (should!) have special characters such as '< >', which would normally trigger a potential attack alert. Should I just leave the password

I'm using Jsoup with relaxed whitelist. It seems perfect but I would like to keep the embedded images tags like <img alt="" src="data:;base64 . Is there a way to modify the whitelist to accept also those img? Edit : If I use Whitelist.relaxed().addProtocols("img","src","data") then those img tags are not removed. But it accepts anything after "data:" and I would like just to keep them if src content starts with "data:;base64". Is it possible with jsoup? You can extend Whitelist and override isSafeAttribute to perform custom checks. As there's no way to extend Whitelist.relaxed() directly, you

I have a rich text editor that passes HTML to the server. That HTML is then displayed to other users. I want to make sure there is no JavaScript in that HTML. Is there any way to do this? Also, I'm using ASP.NET if that helps. The simplest thing to do would be to either strip out tags with a regex. Trouble is that you could do plenty of nasty things without script tags (e.g. imbed dodgy images, have links to other sites that have nasty Javascript) . Disabling HTML completely by convert the less than/greater than characters into their HTML entities forms (e.g. <) could also be an option. If you

I have a website in php that does include() to embed the content into a template. The page to load is given in a get parameter, I add ".php" to the end of the parameter and include that page. I need to do some security check to avoid XSS or other stuff (not mysql injection since we do not have a database). What I've come up with is the following. $page = $_GET['page']; if(!strpos(strtolower($page), 'http') || !strpos($page, '/') || !strpos($page, '\\') || !strpos($page, '..')) { //append ".php" to $page and include the page Is there any other thing I can do to furtherly sanitize my input?

I am just looking into using HTML Purifier to ensure that a user-inputed string (that represents the name of a person) is sanitized. I do not want to allow any html tags, script, markup etc - I just want the alpha, numeric and normal punctuation characters. The sheer number of options available for HTML Purifier is daunting and, as far as i can see, the docs do not seem to have a beggining/middle or end see: http://htmlpurifier.org/docs Is there a simple hello world tutorial online for HTML Purifier that shows how to sanitize a string removing all the bad stuff out of it. I am also considering

I have a form with a lot of variables which is then sending an email, rather than sanitizing each $_POST value with filter_var($_POST['var'], FILTER_SANITIZE_STRING); I was after a more simple piece of code. I came up with the below, which seems to work as I believe the default action is FILTER_SANITIZE_STRING , but I was just wondering what peoples opinions are, and if this is not good practice, perhaps you could tell me why? The $_POST values are then individually embedded into new variables, so I would only be using array_map just at the start to sanitize everything... $_POST = array_map(

Using Rails, I need to get a plain text and show it as HTML, but I don't want to use <pre> tag, as it changes the format. I needed to subclass HTML::WhiteListSanitizer to escape non whitelisted tags (by changing process_node ), monkey patch HTML::Node to don't downcase tags' names and monkey patch HTML::Text to apply <wbr /> word splitting: class Text2HTML def self.convert text text = simple_format text text = auto_link text, :all, :target => '_blank' text = NonHTMLEscaper.sanitize text text end # based on http://www.ruby-forum.com/topic/87492 def self.wbr_split str, len = 10 fragment = /.{#