Skip to content


Subversion checkout URL

You can clone with
Download ZIP


Potential security issues in the Filter class. #15

dhrrgn opened this Issue · 1 comment

2 participants


Again, looking through with a a magnifying glass trying to find the issues that commenter seemed to see.

I found 2 issues.

  1. The filterHtmlentities() method does not specify any flags, encoding type or disable double encoding. These can cause issues. Without a ENT_QUOTES flag, it will not convert single quotes, only double, which could lead to some XSS issues or worse, the other two options are just to make sure everything looks correct when outputted. I recommend using the following:
htmlentities($value, ENT_QUOTES, 'UTF-8', false);

Note: You should use whatever encoding the user is (I imagine it is a config option somewhere I didn't see).

  1. The filterStriptags() uses the strip_tags() function, which is insecure and generally cannot be trusted (for example see here You should use the following instead:
filter_var($value, FILTER_SANITIZE_STRING);

Even though this still does not stop all possible threats, it is a better option.

Overall, I think that for input/output filtering you should use something along the lines of HTML Purifier or htmLawed. They add a bit of bulk and are slower, but they do a much much better job of preventing XSS and other types of attacks.


Other notes:
"One more thing I didn’t put in the issues: Check if the value is an array when a string is expected."
"If you are sanitizing the post or get data there could be array in there (checkboxes[]) which would cause an issue for most filters."

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.