Replies: 10 comments
-
While not an answer to what seems to be your real question, in a default store, Because it is not specifically identified in the init_sanitize code it is strict sanitized. In your testing did you find that it bypassed this particular POST key? That any/all presanitization eliminates the need to use |
Beta Was this translation helpful? Give feedback.
-
Where? |
Beta Was this translation helpful? Give feedback.
-
At start of There is then the call near the end of the file to run sanitizers, this invokes filtering of both keys and the related values in a strict manner. Such information would be logged if |
Beta Was this translation helpful? Give feedback.
-
Thanks for the info, although the correct answer to "where?" was RTM: The original question remains
|
Beta Was this translation helpful? Give feedback.
-
And at some point we need to have a conversation as to why we do this and how we stop having to do this. |
Beta Was this translation helpful? Give feedback.
-
@zcwilt, what is |
Beta Was this translation helpful? Give feedback.
-
security through obscurity. This include admin sanitization and obscured admin directories. |
Beta Was this translation helpful? Give feedback.
-
@lat9 will put together some notes around this |
Beta Was this translation helpful? Give feedback.
-
i could not agree more. |
Beta Was this translation helpful? Give feedback.
-
As noted in the issue mentioned by @torvista, there's also been some discussion of this handling over the past year. |
Beta Was this translation helpful? Give feedback.
-
While fettling with category-product listing, some POST/GET are pre-cast to integers here
zencart/admin/includes/init_includes/init_sanitize.php
Lines 171 to 188 in d46e790
Other POST/GET in this file are not pre-sanitized , the usual in-file cleaning or casting is done, eg:
where $_POST['categories_id' IS pre-cast to integer but $_POST['move_to_category_id'] is not pre-sanitized at all.
Is the philosophy to move sanitizing out of a file and into the init?
So $_POST['move_to_category_id'] should also go in the $goup array and
$new_parent_id = zen_db_prepare_input($_POST['move_to_category_id'])
;becomes
$new_parent_id = $_POST['move_to_category_id');
Beta Was this translation helpful? Give feedback.
All reactions