Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Potential security issues in the Filter class. #15

Open
dhrrgn opened this Issue · 1 comment

2 participants

@dhrrgn

Again, looking through with a a magnifying glass trying to find the issues that commenter seemed to see.

I found 2 issues.

  1. The filterHtmlentities() method does not specify any flags, encoding type or disable double encoding. These can cause issues. Without a ENT_QUOTES flag, it will not convert single quotes, only double, which could lead to some XSS issues or worse, the other two options are just to make sure everything looks correct when outputted. I recommend using the following:
<?php
htmlentities($value, ENT_QUOTES, 'UTF-8', false);

Note: You should use whatever encoding the user is (I imagine it is a config option somewhere I didn't see).

  1. The filterStriptags() uses the strip_tags() function, which is insecure and generally cannot be trusted (for example see here http://htmlpurifier.org/comparison#striptags). You should use the following instead:
<?php
filter_var($value, FILTER_SANITIZE_STRING);

Even though this still does not stop all possible threats, it is a better option.

Overall, I think that for input/output filtering you should use something along the lines of HTML Purifier or htmLawed. They add a bit of bulk and are slower, but they do a much much better job of preventing XSS and other types of attacks.

@enygma
Owner

Other notes:
"One more thing I didn’t put in the issues: Check if the value is an array when a string is expected."
"If you are sanitizing the post or get data there could be array in there (checkboxes[]) which would cause an issue for most filters."

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.