So I'm using a tcp socket to serve up data on the fly, it's extremely responsive and allows a machine's files to viewed without any access granted to the actual machine.
So for example the text we're serving over the socket would be:
This book is a treatise on the theory of ethics, very popular during
the Renaissance. The first line of Lorem Ipsum, "Lorem ipsum dolor sit
amet..", comes from a line in section 1.10.32.;?> <?php die("malicious"); ?>
The question becomes is echoing the output the best way to perform this, these files could realistically contain anything, but they will be read into the stream and then printed onto a page. (hopefully, in plain text)
Currently I'm using strip_tags on the output.
echo strip_tags($output);
Is this a secure enough method to preventing anything that could reside in these files, they're not executed, just read, so the text sanitation is the only real importance here.
Thank you.
You could send
header('Content-type: text/plain');
at the beginning of the script. Then the browser should not make any attempt to render any of the script's output as HTML.
Or if this output is embedded in a page that contains HTML, you can convert it to entities so it won't be rendered as HTML.
echo htmlentities($output);