Reputation: 61
Documents in textarea
I have a contact form on a web site; just ordinary html in a php page:
<textarea name="message" id ="message" rows="10" cols="30"> </textarea>
I didn't yet sanitize the input as I figured that it was only going to be sent as an email anyway...
Interestingly, the spammers have found a way of attaching/inserting what appears to be a .PDF doc to the message.
My two questions are:
1. How are they doing this? I can't seem to find a way to insert a document or attach a document to a message in a textarea, so how can they?
2. Will sanitizing the input with strip_tags and htmlspecialchars stop them doing it?
Thanks.
Edit:
Thanks for getting back to me - here is a screen shot of one of the emails; as you say, gmail seems to be picking up the url:
I don't suppose I should click on that link, hey?
Upvotes: 0
Views: 237
Answers (1)
Reputation: 3300
Without more detail, I can only guess. <textarea> does not allow attaching a file, only text (string of any characters). It would allow including a URL in the text. If you send this URL-containing text via email, your email reader likely recognizes the URL-string and converts it to a clickable link. So, strictly speaking, the PDF file is not appended to the email, but a link to the PDF is.
If this is the case, sanitizing for HTML tags won't work but sanitizing for URLs will.
Upvotes: 1
Related Questions
- PHP - Non-destructive Input Sanitization
- Empty HTML textarea input doesn't show up in PDF generated by mPDF
- Problems at displaying textareas in a .pdf
- Sanitizing Output To Textarea From XSS
- How can I sanitize PHP data for writing to PDF file?
- PHP can not handle inserting content for TEXTAREA if value contains HTML tags or special characters
- Need to escape or sanatise output that is displayed in a <textarea>?
- Converting pdf files to txt files with php
- Get plain text from PDF file
- Is it possible to read a pdf file as a txt?