Principally, is input type="text" instead input type="url" a security problem for "website" form fields?



  • I have a simple HTML-PHP-CSS contact form (no JavaScript) with some trivial fields sent via PHP's mail() function. One of the fields is "website" field in which a user should input a website domain (if relevant).


    If I add to the form field with input type="url" it obligates users to add a protocol prefix such as http:// or https:// to any website domain or full URL.

    Most users don't even think about adding a protocol prefix and would get an error for lacking it and the form won't be submitted without it (some users might not understand the error) so accessibilitywise I have figured that I shouldn't use input type="url" at all and should find another kind of input field to ask for a website domain.


    I thought about changing type="url" to type="text".

    Perhaps there are some security considerations if one takes that approach.

    Principally, is input type="text" instead input type="url" a security problem for "website" form fields?



  • The type of the input field is not a security feature but merely a usability feature, i.e. it allows early checking of value and might offer already constrains when entering the data in the browser. The server must still validate that the input conforms to the expected type since it is easily possible to bypass the browser based verification or not use an browser at all to submit the input.

    Based on this, it is not a security problem to specify type text instead of type url for the input field, but might merely be a usability problem. It gets a security problem only when the server side application blindly assumes that the input will only be of the specific type, i.e. blindly trusts client input based on the wrong assumption that the browser will check it properly.


Log in to reply
 

Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2