dougu9895 2017-06-26 02:11
浏览 50
已采纳

我是否需要清理GD文本函数的用户输入(im​​agettftext,imagestring等)

I am working on a website that allows users to add text to an image. Think meme generator kind of thing. I want to allow pretty much all text, including code, HTML etc.

Given the allowed "output" of GD text functions is basically anything that is UTF-8 compliant, what should I need to do, if anything, to sanitize the user input? Especially considering I want to keep things like code, HTML etc intact.

An example for example's sake:

$userText = $_POST['foo'];
imagettftext($image, 12, 0, 0, 0, $color, $font, $userText);

Is that fine?

Edit: Someone linked me to Secure User Image Upload Capabilities in PHP - I'm not asking how to upload images - I'm asking if/how much/what sanitizing and or validation I need of user input for GD text functions.

  • 写回答

1条回答 默认 最新

  • dongpu42006096 2017-06-26 02:41
    关注

    No, no escaping or anything is needed.

    You only need to escape something when using it in a new context, where there is possibility to confuse the data with the command. In this case, text data is just text data, and it remains as text data. You don't need to do anything with it.

    Do keep in mind though that users might be able to generate images with whatever glyphs are in the font, with all the fun of unicode to go with it. If text appearing in different directions and on top of things is bad for your app... you might have to do something about it. But that's unrelated to GD itself.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 BP神经网络控制倒立摆
  • ¥20 要这个数学建模编程的代码 并且能完整允许出来结果 完整的过程和数据的结果
  • ¥15 html5+css和javascript有人可以帮吗?图片要怎么插入代码里面啊
  • ¥30 Unity接入微信SDK 无法开启摄像头
  • ¥20 有偿 写代码 要用特定的软件anaconda 里的jvpyter 用python3写
  • ¥20 cad图纸,chx-3六轴码垛机器人
  • ¥15 移动摄像头专网需要解vlan
  • ¥20 access多表提取相同字段数据并合并
  • ¥20 基于MSP430f5529的MPU6050驱动,求出欧拉角
  • ¥20 Java-Oj-桌布的计算