WordPress.org

Support

Support » Plugins and Hacks » Contact Form 7 » [Plugin: Contact Form 7] How can special characters be stripped?

[Plugin: Contact Form 7] How can special characters be stripped?

  • I’ve just recently started using WordPress. One of the things I always worry about is cross site script (XSS) vulnerability. When I program I make sure special characters are stripped so that XSS attacks are neutralized. From my testing of Contact Form 7 it appears that special characters such as < and > are possible. Is there a way to exclude these or is a hack the solution? THANK YOU.

    http://wordpress.org/extend/plugins/contact-form-7/

Viewing 10 replies - 1 through 10 (of 10 total)
  • Plugin Author Takayuki Miyoshi

    @takayukister

    Setting Up Mail

    Check the “Use HTML content type” box.

    Takayuki, thank you for your response. Unfortunately I feel I may have been misunderstood. I tried that setting both ways (off and on), but the result is the same. Special characters do not get removed. They are simply passed on. I’m looking to have < and > removed or converted to ASCII in order to address XSS security concerns. Any suggestions if I hack out a solution? THANKS!

    Plugin Author Takayuki Miyoshi

    @takayukister

    When you set the HTML option on, the special characters such as “<“, “>“, “&” are represended as “&lt;”, “&gt;”, “&amp;” respectively in the message body.

    Agreed, the message field is good and safe. However, all of the other fields still maintain the characters. My understanding of XSS is that I should be concerned about all submitted fields. Thanks Takayuki.

    Plugin Author Takayuki Miyoshi

    @takayukister

    What do you mean by “the other fields”? Mail headers? If so, they are not HTML. They are just text data, you can’t script in it.

    Takayuki,

    Sure, they are not HTML once they are part of an e-mail, but it is my understanding that they must be cleansed immediately upon submittal , i.e. in the parsing routine or prevent use of them through validation.

    Plugin Author Takayuki Miyoshi

    @takayukister

    No, what needed for preventing XSS is escaping special characters when you output them into HTML-formatted text. Not input.

    Takayuki,

    Please confirm I got this right. If the form data is used for an e-mail then escaping is not necessary. However, if it is sent to a display, then it must be escaped.

    Thank You Again!

    Plugin Author Takayuki Miyoshi

    @takayukister

    If the email’s content type is text/plain, escaping HTML special characters makes no sense, so it is not necessary. If the email’s content type is text/html or you send it to a display as HTML, you must escape them.

    fastasleep

    @fastasleep

    Does this work for sending valid XML as well?

Viewing 10 replies - 1 through 10 (of 10 total)
  • The topic ‘[Plugin: Contact Form 7] How can special characters be stripped?’ is closed to new replies.
Skip to toolbar