Potential security issues in the Filter class. #15

Open
dhrrgn opened this Issue Aug 10, 2012 · 1 comment

Projects

None yet

2 participants

Contributor
dhrrgn commented Aug 10, 2012

Again, looking through with a a magnifying glass trying to find the issues that commenter seemed to see.

I found 2 issues.

  1. The filterHtmlentities() method does not specify any flags, encoding type or disable double encoding. These can cause issues. Without a ENT_QUOTES flag, it will not convert single quotes, only double, which could lead to some XSS issues or worse, the other two options are just to make sure everything looks correct when outputted. I recommend using the following:
<?php
htmlentities($value, ENT_QUOTES, 'UTF-8', false);

Note: You should use whatever encoding the user is (I imagine it is a config option somewhere I didn't see).

  1. The filterStriptags() uses the strip_tags() function, which is insecure and generally cannot be trusted (for example see here http://htmlpurifier.org/comparison#striptags). You should use the following instead:
<?php
filter_var($value, FILTER_SANITIZE_STRING);

Even though this still does not stop all possible threats, it is a better option.

Overall, I think that for input/output filtering you should use something along the lines of HTML Purifier or htmLawed. They add a bit of bulk and are slower, but they do a much much better job of preventing XSS and other types of attacks.

Owner
enygma commented Aug 10, 2012

Other notes:
"One more thing I didn’t put in the issues: Check if the value is an array when a string is expected."
"If you are sanitizing the post or get data there could be array in there (checkboxes[]) which would cause an issue for most filters."

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment