WordPress.org

Forums

Contact Form 7
How can special characters be stripped? (11 posts)

  1. largeblackcoffee
    Member
    Posted 3 years ago #

    I've just recently started using WordPress. One of the things I always worry about is cross site script (XSS) vulnerability. When I program I make sure special characters are stripped so that XSS attacks are neutralized. From my testing of Contact Form 7 it appears that special characters such as < and > are possible. Is there a way to exclude these or is a hack the solution? THANK YOU.

    http://wordpress.org/extend/plugins/contact-form-7/

  2. Takayuki Miyoshi
    Member
    Plugin Author

    Posted 3 years ago #

    Setting Up Mail

    Check the "Use HTML content type" box.

  3. largeblackcoffee
    Member
    Posted 3 years ago #

    Takayuki, thank you for your response. Unfortunately I feel I may have been misunderstood. I tried that setting both ways (off and on), but the result is the same. Special characters do not get removed. They are simply passed on. I'm looking to have < and > removed or converted to ASCII in order to address XSS security concerns. Any suggestions if I hack out a solution? THANKS!

  4. Takayuki Miyoshi
    Member
    Plugin Author

    Posted 3 years ago #

    When you set the HTML option on, the special characters such as "<", ">", "&" are represended as "&lt;", "&gt;", "&amp;" respectively in the message body.

  5. largeblackcoffee
    Member
    Posted 3 years ago #

    Agreed, the message field is good and safe. However, all of the other fields still maintain the characters. My understanding of XSS is that I should be concerned about all submitted fields. Thanks Takayuki.

  6. Takayuki Miyoshi
    Member
    Plugin Author

    Posted 3 years ago #

    What do you mean by "the other fields"? Mail headers? If so, they are not HTML. They are just text data, you can't script in it.

  7. largeblackcoffee
    Member
    Posted 3 years ago #

    Takayuki,

    Sure, they are not HTML once they are part of an e-mail, but it is my understanding that they must be cleansed immediately upon submittal , i.e. in the parsing routine or prevent use of them through validation.

  8. Takayuki Miyoshi
    Member
    Plugin Author

    Posted 3 years ago #

    No, what needed for preventing XSS is escaping special characters when you output them into HTML-formatted text. Not input.

  9. largeblackcoffee
    Member
    Posted 3 years ago #

    Takayuki,

    Please confirm I got this right. If the form data is used for an e-mail then escaping is not necessary. However, if it is sent to a display, then it must be escaped.

    Thank You Again!

  10. Takayuki Miyoshi
    Member
    Plugin Author

    Posted 3 years ago #

    If the email's content type is text/plain, escaping HTML special characters makes no sense, so it is not necessary. If the email's content type is text/html or you send it to a display as HTML, you must escape them.

  11. fastasleep
    Member
    Posted 2 years ago #

    Does this work for sending valid XML as well?

Topic Closed

This topic has been closed to new replies.

About this Plugin

  • Contact Form 7
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic