[TYPO3-dev] Proposal: Sanitize GET/POST parameters
Jigal van Hemert
jigal at xs4all.nl
Mon Jul 5 15:24:44 CEST 2010
Reinhard Führicht wrote:
> TYPO3 doesn't sanitize the values submitted in GET or POST and leaves it
> to the extension authors or the writers of TypoScript to care about XSS
> and SQLI.
It's very hard to filter this and in many cases it's not necessary at
all. For example, converting a parameter to an integer makes complicated
filtering a waste of resources.
> Furthermore TypoScript-Code like this can be very dangerous:
>
> lib.something = TEXT
> lib.something.data = GPvar:myParam
In general it is the responsibility of the administrator who wrote the
Typoscript code to make sure it's safe.
For a TEXT object htmlspecialchars will be enough to prevent HTML to be
injected in a page.
In the case of queries, the 'select' property has been extended in TYPO3
4.4 to support markers. The values which replace these markers are
properly quoted and escaped. By using markers you can safely use
GET/POST values inside queries in Typoscript.
> The patch also adds a new script for XSS filtering because RemoveXSS is
> not really reliable in my view.
Can you give specify in which areas the RemoveXSS version which is
included in the core is not really reliable? It already filters a lot of
clever XSS attacks. Suggestions to improve it are always welcome!
> intParams:
> Will call intval() on each parameter in the list
There is already a function to convert to integer in Typoscript and of
course in the API for extensions.
> badWords:
> These words will be stripped out of the parameter content
As you may have seen in RemoveXSS, stripping 'bad words' is not really
simple. There are a lot of sneaky tactics to disguise a 'bad word' to
make it harder to detect. RemoveXSS tries to render these 'bad words'
harmless despite attempts to hide them.
Good to have someone thinking about security!
--
Jigal van Hemert
skype:jigal.van.hemert
msn: jigal at xs4all.nl
http://twitter.com/jigalvh
More information about the TYPO3-dev
mailing list