我是否需要清理GD文本功能(imagettftext,imagestring等)的用户输入?
[英]Do I need to sanitize user input for GD text functions (imagettftext, imagestring etc.)
问题描述
I am working on a website that allows users to add text to an image. 
我正在一个允许用户向图像添加文本的网站。 Think meme generator kind of thing. 想模因生成器之类的东西。 I want to allow pretty much all text, including code, HTML etc. 我想允许几乎所有文本,包括代码,HTML等。
Given the allowed "output" of GD text functions is basically anything that is UTF-8 compliant, what should I need to do, if anything, to sanitize the user input? 鉴于GD文本函数所允许的“输出”基本上是符合UTF-8规范的任何内容,我应该做些什么来清理用户输入? Especially considering I want to keep things like code, HTML etc intact. 特别是考虑到我想保持代码,HTML等内容不变。
An example for example's sake: 例如,举个例子:
$userText = $_POST['foo'];
imagettftext($image, 12, 0, 0, 0, $color, $font, $userText);
Is that fine? 这样好吗
Edit: Someone linked me to Secure User Image Upload Capabilities in PHP - I'm not asking how to upload images - I'm asking if/how much/what sanitizing and or validation I need of user input for GD text functions. 编辑:有人将我链接到PHP中的“安全用户图像上传功能” -我不是在问如何上传图像-我是在问是否/需要多少用户对GD文本功能进行消毒和/或验证。
1 个解决方案
解决方案1
1 已采纳 2017-06-26 02:41:01
No, no escaping or anything is needed. 不,不需要转义或任何其他操作。
You only need to escape something when using it in a new context, where there is possibility to confuse the data with the command . 您仅需要在新的上下文中使用某些东西时就可以对其进行转义,这有可能使数据与command混淆。 In this case, text data is just text data, and it remains as text data. 在这种情况下,文本数据只是文本数据,并且仍保留为文本数据。 You don't need to do anything with it. 您不需要做任何事情。
Do keep in mind though that users might be able to generate images with whatever glyphs are in the font, with all the fun of unicode to go with it . 请记住,尽管用户可能能够使用字体中的任何字形生成图像, 而unicode的所有乐趣都可以与它一起使用 。 If text appearing in different directions and on top of things is bad for your app... you might have to do something about it. 如果文本以不同的方向出现在顶部,则对您的应用程序不利...您可能需要对此做一些事情。 But that's unrelated to GD itself. 但这与GD本身无关。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.