[TYPO3-dev] Proposal: Sanitize GET/POST parameters

[Reinhard Führicht]

Hi,

TYPO3 doesn't sanitize the values submitted in GET or POST and leaves it 
to the extension authors or the writers of TypoScript to care about XSS 
and SQLI.
This way, one can never be sure if a third party extension or even if 
his own extension is safe.
Furthermore TypoScript-Code like this can be very dangerous:

lib.something = TEXT
lib.something.data = GPvar:myParam

I propose to let TYPO3 do some basic filtering which can be customized 
globally via TypoScript.
The attached patch adds some filtering code to stdWrap. The first time 
stdWrap is called, all GET/POST parameters get sanitized as configured 
in TypoScript.
Sanitizing is divided into various tasks:
- Cast values to int if configured
- Remove bad words from value as configured
- Perform XSS filtering

The patch also adds a new script for XSS filtering because RemoveXSS is 
not really reliable in my view. To make the new script work, there's a 
need to do some basic charset detection to be able to handle UTF-8 
correctly.

The TypoScript code could look similar to this:

config.sanitizegp {
   intParams = param1, param4
   badWords = select,union,delete
   keepParams = param2, param3
}

intParams:
Will call intval() on each parameter in the list

badWords:
These words will be stripped out of the parameter content

keepParams:
These parameters will be passed through and remain untouched

This is just a proof of concept. There are certain issues like how to 
process arrays (like: param1[param]) or the little TypoScript options 
(Could be more, like disableXSS, ...).

The goal of this is to make it easier for admins, users to make their 
TYPO3 website safer. It doesn't mean, that it is bullet proof, but it 
should give a certain amount of security. Default url parameters like 
id, type and L are set as intParams as a default setting.

I would like to hear your opinions about that. Is this a useful feature?