xoops forums

loukaum

Just popping in
Posted on: 3/29 15:05
loukaum
loukaum (Show more)
Just popping in
Posts: 92
Since: 2003/11/2
#1

Sanitizing inputs

Hello all,

MyTextSanitizer is deprecated? If no... how can I use it? If yes, whats is the best approach to sanitize user inputs on xoops 2.5.9 version?

Mamba

Moderator
Posted on: 3/29 20:09
Mamba
Mamba (Show more)
Moderator
Posts: 10570
Since: 2004/4/23
#2

Re: Sanitizing inputs

MyTextSanitizer is still OK, as far as I know.

The best way to sanitize user input is to use "Request" from XMF, e.g.:

use Xmf\Request;

$op    Request::getString('op''form');
$albId Request::getInt('alb_id'0'POST');


or you can use direct XMF calls:

$op    \Xmf\Request::getString('op''form');
$albId \Xmf\Request::getInt('alb_id'0'POST');


This is a key Security advise from our Core Team leader, Geekwright:
Quote:

There were three basic issues is this set (so far,) and they are very common security risks in web applications.

1) Always use and check security TOKENS on forms. Virtually any POST form (including xoops_confirm() calls) can have a token added and checked easily.
Doing that consistently will help prevent CSRF (cross site request forgery) attacks. Using the token validates that a request is in response to a form that was presented to the current user in the current session.

2) Clean input data, and escape it as it is displayed to prevent XSS attacks.
When data moves directly from user input to being displayed on the page (either echoed back as a summary, or used as the value in a form input)

a) use the appropriate Request method to clean it, and

b) then escape it for output with
htmlentities($variableENT_QUOTES);


(or achieve the same with named TextSanitizer call) :

$myts \MyTextSanitizer::getInstance();
$filedownname $myts->htmlSpecialChars($this->downloadname);


But start always with cleaning it with Request method:
Xmf\Request::getString()

as it will remove lots of nastiness.

Using htmlentites() will make sure that what is displayed back is always inert, with no active content.

3) Make sure that any filename being taken from a submitted form is checked to make sure that it is pointing to a directory where you should be reading or writing. Use realpath() on both the full file name and the full permitted path and make sure the resulting file name starts with the resulting permitted path. Doing this will any resolve symlinks and directory traversals, and do so for any system (Linux, Windows, etc.)


We have a lot of old code that didn't do it, and I am trying to clean it up our old modules to use consistently the "Request" from XMF, but it's still a long way to go!

Who can help with it?
Support XOOPS => DONATE
Use 2.5.9 | Docs | Modules | Bugs

geekwright

Quite a regular
Posted on: 3/31 0:20
geekwright
geekwright (Show more)
Quite a regular
Posts: 240
Since: 2010/10/15
#3

Re: Sanitizing inputs

Quote:

loukaum wrote:

MyTextSanitizer is deprecated? ...

I would agree with Mamba's post

As to the deprecation of MyTextSanitizer, let me clearly state that it is still an important part of XOOPS, and is not deprecated. Most input needs are better handled with Xmf\Request now, but the text sanitizer is still with us and has a future. (It actually improves and grows in 2.6.)

A number of methods in MyTextSanitizer have been deprecated for quite some time. There is a comment line that marks the set of deprecated methods that are at the bottom of the class/module.textsanitizer.php file.

In 2.5.9 we did deprecate some of the extensions -- mms, wmp and rtsp -- that support media formats that are virtually extinct on the modern web. All of those got new options to disable editor buttons, even if the extensions are enabled. Flash got a similar treatment. If you have legacy content, the extensions should function as best they can. But creating new content with these is discouraged.

I hope that clears things up.

loukaum

Just popping in
Posted on: 4/2 15:22
loukaum
loukaum (Show more)
Just popping in
Posts: 92
Since: 2003/11/2
#4

Re: Sanitizing inputs

Firstly, I would like to thank the answers and apologize for taking so long to thank, here in Brazil was a holiday weekend and I moved away from the activities with the PC a little.
I will use MyTextSanitizer according to the instructions, again, my deepest thanks!

Mamba

Moderator
Posted on: 4/2 23:52
Mamba
Mamba (Show more)
Moderator
Posts: 10570
Since: 2004/4/23
#5

Re: Sanitizing inputs

Always happy to help!

Are you on GitHub? Make sure you're there, as all the XOOPS development is happening on GitHub:

https://github.com/XOOPS/XoopsCore25

https://github.com/XOOPS/XoopsCore

https://github.com/XoopsModules25x

https://github.com/XoopsThemes
Support XOOPS => DONATE
Use 2.5.9 | Docs | Modules | Bugs

Mamba

Moderator
Posted on: 4/13 12:00
Mamba
Mamba (Show more)
Moderator
Posts: 10570
Since: 2004/4/23
#6

Re: Sanitizing inputs

But make sure that as first you use the Request for all you variable reading from $_POST and $_GET like here:

use XmfRequest

$op    Request::getString('op''form'); //for both POST and GET
$albId Request::getInt('alb_id'0'POST'); //specifically for POST
Support XOOPS => DONATE
Use 2.5.9 | Docs | Modules | Bugs