[TYPO3-dev] Proposal: Sanitize GET/POST parameters
Reinhard Führicht
rf at typoheads.at
Mon Jul 5 16:27:02 CEST 2010
Am 2010-07-05 15:24, schrieb Jigal van Hemert:
> Reinhard Führicht wrote:
>> TYPO3 doesn't sanitize the values submitted in GET or POST and leaves
>> it to the extension authors or the writers of TypoScript to care about
>> XSS and SQLI.
>
> It's very hard to filter this and in many cases it's not necessary at
> all. For example, converting a parameter to an integer makes complicated
> filtering a waste of resources.
I think it is necessary in all cases, except for integer parameters of
course. These parameters will not have to be filtered.
>
>> Furthermore TypoScript-Code like this can be very dangerous:
>>
>> lib.something = TEXT
>> lib.something.data = GPvar:myParam
>
> In general it is the responsibility of the administrator who wrote the
> Typoscript code to make sure it's safe.
> For a TEXT object htmlspecialchars will be enough to prevent HTML to be
> injected in a page.
Everytime I use any url parameter in TypoScript or in my PHP code, I
have to worry about security. In my view it would be much more
comfortable to be able to globally manage the url parameters (However
the TypoScript my look like).
>
> In the case of queries, the 'select' property has been extended in TYPO3
> 4.4 to support markers. The values which replace these markers are
> properly quoted and escaped. By using markers you can safely use
> GET/POST values inside queries in Typoscript.
see above.
>
>> The patch also adds a new script for XSS filtering because RemoveXSS
>> is not really reliable in my view.
>
> Can you give specify in which areas the RemoveXSS version which is
> included in the core is not really reliable? It already filters a lot of
> clever XSS attacks. Suggestions to improve it are always welcome!
As stated in my other post, RemoveXSS works fine. Apparently, the
misbehaviour got fixed some time ago.
>
>> intParams:
>> Will call intval() on each parameter in the list
>
> There is already a function to convert to integer in Typoscript and of
> course in the API for extensions.
see above: I have to do this everytime I use a parameter in TypoScript
and this sucks :-)
>
>> badWords:
>> These words will be stripped out of the parameter content
>
> As you may have seen in RemoveXSS, stripping 'bad words' is not really
> simple. There are a lot of sneaky tactics to disguise a 'bad word' to
> make it harder to detect. RemoveXSS tries to render these 'bad words'
> harmless despite attempts to hide them.
I know that bad word filtering is more complicated than doing a simple
str_replace(), right now the provided code is just concept work, no
bullet-proofness :-)
>
> Good to have someone thinking about security!
>
There are clever guys taking care of securing TYPO3 and they do great
work. I just thought maybe this could be a simple way to provide a more
comfortable solution.
More information about the TYPO3-dev
mailing list