Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Filter input for its use in XPath expressions
In order to avoid XPath injection, user input must be filtered before it ends up in the query. Unfortunately, there's no way to do this with a standard method in PHP, so we need our own filtering function. Current best practice recommends using white lists instead of black lists to allow only a subset of characters. In this case, we allow only letters, numericals, spaces, dashes and underscores. This fixes a bug also inside a loop, where $identifier is used instead of $idKey (the element in the current loop iteration).
- Loading branch information
1 parent
222303d
commit 6490326
Showing
3 changed files
with
37 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
<?php | ||
|
||
namespace RobRichards\XMLSecLibs\Utils; | ||
|
||
class XPath | ||
{ | ||
const ALPHANUMERIC = 0; | ||
const NUMERIC = 1; | ||
const LETTERS = 2; | ||
const EXTENDED_ALPHANUMERIC = 3; | ||
|
||
private static $regex = [ | ||
self::ALPHANUMERIC => '#[^\w\d]#', | ||
self::NUMERIC => '#[^\d]#', | ||
self::LETTERS => '#[^\w]#', | ||
self::EXTENDED_ALPHANUMERIC => '#[^\w\d\s-_]#' | ||
]; | ||
|
||
|
||
/** | ||
* Filter a string for save inclusion in an XPath query. | ||
* | ||
* @param string $input The query parameter to filter. | ||
* @param int $allow The character set that we should allow. | ||
* | ||
* @return string The input filtered with only allowed characters. | ||
*/ | ||
public static function filter($input, $allow = self::EXTENDED_ALPHANUMERIC) | ||
{ | ||
return preg_replace(self::$regex[$allow], '', $input); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters