Re: Email Handling and Manipulation Question 12

20 views
Skip to first unread message

Dan Kelly

unread,
Jul 19, 2011, 1:16:59 PM7/19/11
to Zend Certification Study Group
Which of the following measures will help prevent cross-site attacks
on a form that sends a
pre-defined text-only e-mail to a user-provided e-mail address?
(Choose 2)


A. Enforcing the use of GET parameters only
B. Calling htmlentities() on the e-mail address
C. Enforcing the use of POST parameters only
D. Calling htmlentities() on the body of the e-mail
E. Ensuring that the e-mail address field contains no newline
characters

Seal Trip

unread,
Jul 19, 2011, 7:01:52 PM7/19/11
to zend-certificat...@googlegroups.com
I almost said C and D, then I noticed that it is about preventing an attack on a pre-defiend text only. This gives a clue that html entities will have not effect here since all input will appear as plain text. So I can only say C (post is stronger than get in this context.) and E.

So to reduce cross site attack I choose C and E.

Darren Cato

unread,
Jul 19, 2011, 10:54:32 PM7/19/11
to zend-certificat...@googlegroups.com
i'll go with c and e too

----------------------------------------------------
Darren http://www.eztransition.com/gui/images/icons/social_network/twitter_16.png 

Alex Stetsenko

unread,
Jul 20, 2011, 2:10:52 PM7/20/11
to zend-certificat...@googlegroups.com
Sort of agree about C but like Seal wrote 'reduce' is better word than 'prevent'.
But not sure how B or E are related to cross site attack? If someone accidentally copy pastes te...@test.com\n - it is already cross site attack?

Dan Kelly

unread,
Jul 22, 2011, 8:29:36 AM7/22/11
to Zend Certification Study Group
The use of htmlentities() on a plain-text e-mail does nothing to help
prevent cross-site
attacks—in fact, it may cause it to become unreadable for the
recipient. Enforcing the use of
POST variables only makes it harder for a would-be hacker to spoof
your form (although not
impossible), while ensuring that the e-mail field (which will become
the To: header in the email)
does not contain newline characters helps prevent a malicious user
from adding his own e-mail address to that of the user and receiving a
copy of the e-mail. Therefore,
Answers C and E are correct.
Reply all
Reply to author
Forward
0 new messages