Posted on: 2018/3/29 20:09
Re: Sanitizing inputs
MyTextSanitizer is still OK, as far as I know.
The best way to sanitize user input is to use "Request" from XMF
$op = Request::getString('op', 'form');
$albId = Request::getInt('alb_id', 0, 'POST');
or you can use direct XMF calls:
$op = \Xmf\Request::getString('op', 'form');
$albId = \Xmf\Request::getInt('alb_id', 0, 'POST');
This is a key Security advise from our Core Team leader, Geekwright:
There were three basic issues is this set (so far,) and they are very common security risks in web applications.
1) Always use and check security TOKENS on forms. Virtually any POST form (including xoops_confirm() calls) can have a token added and checked easily.
Doing that consistently will help prevent CSRF (cross site request forgery) attacks. Using the token validates that a request is in response to a form that was presented to the current user in the current session.
2) Clean input data, and escape it as it is displayed to prevent XSS attacks.
When data moves directly from user input to being displayed on the page (either echoed back as a summary, or used as the value in a form input)
a) use the appropriate Request method to clean it, and
b) then escape it for output with
(or achieve the same with named TextSanitizer call) :
$myts = \MyTextSanitizer::getInstance();
$filedownname = $myts->htmlSpecialChars($this->downloadname);
But start always with cleaning it with Request method:
as it will remove lots of nastiness.
Using htmlentites() will make sure that what is displayed back is always inert, with no active content.
3) Make sure that any filename being taken from a submitted form is checked to make sure that it is pointing to a directory where you should be reading or writing. Use realpath() on both the full file name and the full permitted path and make sure the resulting file name starts with the resulting permitted path. Doing this will any resolve symlinks and directory traversals, and do so for any system (Linux, Windows, etc.)
We have a lot of old code that didn't do it, and I am trying to clean it up our old modules to use consistently the "Request" from XMF
, but it's still a long way to go!
Who can help with it?