[TYPO3-dev] Proposal: Sanitize GET/POST parameters

[Jigal van Hemert]

Reinhard Führicht wrote:
> TYPO3 doesn't sanitize the values submitted in GET or POST and leaves it 
> to the extension authors or the writers of TypoScript to care about XSS 
> and SQLI.

It's very hard to filter this and in many cases it's not necessary at 
all. For example, converting a parameter to an integer makes complicated 
filtering a waste of resources.

> Furthermore TypoScript-Code like this can be very dangerous:
> 
> lib.something = TEXT
> lib.something.data = GPvar:myParam

In general it is the responsibility of the administrator who wrote the 
Typoscript code to make sure it's safe.
For a TEXT object htmlspecialchars will be enough to prevent HTML to be 
injected in a page.

In the case of queries, the 'select' property has been extended in TYPO3 
4.4 to support markers. The values which replace these markers are 
properly quoted and escaped. By using markers you can safely use 
GET/POST values inside queries in Typoscript.

> The patch also adds a new script for XSS filtering because RemoveXSS is 
> not really reliable in my view. 

Can you give specify in which areas the RemoveXSS version which is 
included in the core is not really reliable? It already filters a lot of 
clever XSS attacks. Suggestions to improve it are always welcome!

> intParams:
> Will call intval() on each parameter in the list

There is already a function to convert to integer in Typoscript and of 
course in the API for extensions.

> badWords:
> These words will be stripped out of the parameter content

As you may have seen in RemoveXSS, stripping 'bad words' is not really 
simple. There are a lot of sneaky tactics to disguise a 'bad word' to 
make it harder to detect. RemoveXSS tries to render these 'bad words' 
harmless despite attempts to hide them.

Good to have someone thinking about security!

-- 
Jigal van Hemert
skype:jigal.van.hemert
msn: jigal at xs4all.nl
http://twitter.com/jigalvh