XSS Sanitisation Patch #29
Conversation
Added in HTML Encoding for all echo statements. This should take care of any XSS issues that are within the software.
|
Not sure why, but this is what I see when using your copy of the file, @prodigysml . |
|
My bad. Probably over sanitised sections. Looking into fixing it. |
…o work, but that is if the table or the database contacts special character (like <> ). I feel that it shouldn't be a problem as the most likely users of such characters are probably people trying to exploit that application.
|
@JustinStolle Just added in a patch for that. Should be patched, but still has a bit of a problem if someone uses things like chevrons (<>) |
osalabs
left a comment
osalabs
left a comment
There was a problem hiding this comment.
Could you please change the following:
- use already existing function hs() instead of htmlentities() for sanitizing strings
- remove unnecessarily added spaces (I am just trying to keep file size as small as possible)
|
@osalabs Thanks for that! I made the change to use hs now. Also fixed up the spaces issue. |
osalabs
left a comment
osalabs
left a comment
There was a problem hiding this comment.
Still have issues with the patch while testing.
- Try this - create the following table:
CREATE TABLE `<b>bold</b>` (
`id` int(10) unsigned NOT NULL AUTO_INCREMENT,
`<i>italic</i>` text,
PRIMARY KEY (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8
and try to use all functions.
For example, when I do "show tables" and then click on table name - it displays error, while it should select from table.
-
you can also create a database with name containing special html chars and test if it works
-
and eo() is not necessary in ex_w() because ex_w used only in export and should not escape chars
Please review your changes again.
3 participants
Added in HTML Encoding for all echo statements. This should take care of any XSS issues that are within the software.