Potential security issues in the Filter class. #15

dhrrgn opened this Issue Aug 10, 2012 · 1 comment


None yet

2 participants

dhrrgn commented Aug 10, 2012

Again, looking through with a a magnifying glass trying to find the issues that commenter seemed to see.

I found 2 issues.

  1. The filterHtmlentities() method does not specify any flags, encoding type or disable double encoding. These can cause issues. Without a ENT_QUOTES flag, it will not convert single quotes, only double, which could lead to some XSS issues or worse, the other two options are just to make sure everything looks correct when outputted. I recommend using the following:
htmlentities($value, ENT_QUOTES, 'UTF-8', false);

Note: You should use whatever encoding the user is (I imagine it is a config option somewhere I didn't see).

  1. The filterStriptags() uses the strip_tags() function, which is insecure and generally cannot be trusted (for example see here http://htmlpurifier.org/comparison#striptags). You should use the following instead:
filter_var($value, FILTER_SANITIZE_STRING);

Even though this still does not stop all possible threats, it is a better option.

Overall, I think that for input/output filtering you should use something along the lines of HTML Purifier or htmLawed. They add a bit of bulk and are slower, but they do a much much better job of preventing XSS and other types of attacks.

enygma commented Aug 10, 2012

Other notes:
"One more thing I didn’t put in the issues: Check if the value is an array when a string is expected."
"If you are sanitizing the post or get data there could be array in there (checkboxes[]) which would cause an issue for most filters."

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment