I'm passing user-generated HTML into a database and I'm trying to make sure that no malicious code is passed through. One of the steps I'm taking is to run passed code through pear's HTML_Safe class to remove vulnerable markup. However, one thing I've noticed is that the name
attribute of submitted elements gets removed. Sure enough, when you look at the source code, name
is one of the few attributes that's blacklisted by default:
http://pear.php.net/package/HTML_Safe/docs/latest/HTML_Safe/HTML_Safe.html#var$attributes
What's the danger in allowing users to pass values for name
? How can values for name
be used to nefarious ends? Any thoughts? If not, I'm tempted to modify the blacklist.