Closed dhrrgn closed 3 years ago
Other notes: "One more thing I didn’t put in the issues: Check if the value is an array when a string is expected." "If you are sanitizing the post or get data there could be array in there (checkboxes[]) which would cause an issue for most filters."
Again, looking through with a a magnifying glass trying to find the issues that commenter seemed to see.
I found 2 issues.
filterHtmlentities()
method does not specify any flags, encoding type or disable double encoding. These can cause issues. Without aENT_QUOTES
flag, it will not convert single quotes, only double, which could lead to some XSS issues or worse, the other two options are just to make sure everything looks correct when outputted. I recommend using the following:Note: You should use whatever encoding the user is (I imagine it is a config option somewhere I didn't see).
filterStriptags()
uses thestrip_tags()
function, which is insecure and generally cannot be trusted (for example see here http://htmlpurifier.org/comparison#striptags). You should use the following instead:Even though this still does not stop all possible threats, it is a better option.
Overall, I think that for input/output filtering you should use something along the lines of HTML Purifier or htmLawed. They add a bit of bulk and are slower, but they do a much much better job of preventing XSS and other types of attacks.