search

formtools / core

The Form Tools Core.
https://formtools.org
206 stars 78 forks source link

Form CSS and SQL injection protection #377

Open paulshalikashvilli opened 5 years ago

paulshalikashvilli commented 5 years ago

Which files should be modified for CSS and SQL injection protection Is any protection built into the tool, or does this have to be done manually? Please share your experience with securing your forms.

benkeen commented 5 years ago

Hey @paulshalikashvilli, good question! Up to Form Tools 2, SQL injection was prevented by the script manually escaping form content before insertion in the database. I'm pretty sure that was perfectly reliable, but I was glad to upgrade Form Tools 3 to use PDO for all database interaction - that was designed to prevent SQL injection attacks. Technically there are very obscure ways to get around PDO to inject SQL but I haven't encountered any loopholes with Form Tools yet.

CSS injection hasn't been a concern at any point: we're not importing any CSS from any external sources.

Also, just FYI, we recently had the application scanned by Netsparker - very kind of them! Reminds me I need to post a thankyou on Twitter...! They did find a few XSS issues with pages within the admin interface, but speaking realistically, these aren't concerns. If a malicious attacker got access to the administration area there would be no point using XSS attacks at the point: they could do far more damage just through Form Tools itself.

paulshalikashvilli commented 5 years ago

Thank you benkeen for your fast response. Yes, i'm also mindful of XSS vulnerabilities. The Admin interface is behind TLS, login and 2FA, so any XSS is lower severity than if open to the web. Also looks like input validation is controllable for most text fields except "textarea". I just turned that into a large "textbox" and was able to apply validation. I'll pen-test my install to see if I can break it.

So Netsparker didn't find XSS on web-facing forms?

paulshalikashvilli commented 5 years ago

Speaking of input validation in the "textarea" field type. Why is there only one input validation option for that field type? The "textbox" type has 5 validation methods.

benkeen commented 5 years ago

So Netsparker didn't find XSS on web-facing forms?

Nothing was reported, but of course all forms are different. That said I haven't heard of any security issues with the Form Builder-generated forms.

Speaking of input validation in the "textarea" field type. Why is there only one input validation option for that field type? The "textbox" type has 5 validation methods.

The ones for the input fields are really specific to input fields: they're much more likely to require numeric, alphanumeric, letters only etc - hence the extra validation rules. I suppose a user might also use a textarea to only have numeric values but it seems a lot less likely.

Did you find you needed a specific validation rule for a textarea that isn't provided?