0

I am working on a website that allows users to add text to an image. Think meme generator kind of thing. I want to allow pretty much all text, including code, HTML etc.

Given the allowed "output" of GD text functions is basically anything that is UTF-8 compliant, what should I need to do, if anything, to sanitize the user input? Especially considering I want to keep things like code, HTML etc intact.

An example for example's sake:

$userText = $_POST['foo'];
imagettftext($image, 12, 0, 0, 0, $color, $font, $userText);

Is that fine?

Edit: Someone linked me to Secure User Image Upload Capabilities in PHP - I'm not asking how to upload images - I'm asking if/how much/what sanitizing and or validation I need of user input for GD text functions.

Julian
  • 63
  • 6
  • Possible duplicate of [Secure User Image Upload Capabilities in PHP](https://stackoverflow.com/questions/3644138/secure-user-image-upload-capabilities-in-php) – Obsidian Age Jun 26 '17 at 02:16

1 Answers1

1

No, no escaping or anything is needed.

You only need to escape something when using it in a new context, where there is possibility to confuse the data with the command. In this case, text data is just text data, and it remains as text data. You don't need to do anything with it.

Do keep in mind though that users might be able to generate images with whatever glyphs are in the font, with all the fun of unicode to go with it. If text appearing in different directions and on top of things is bad for your app... you might have to do something about it. But that's unrelated to GD itself.

Brad
  • 159,648
  • 54
  • 349
  • 530