[TYPO3-dev] Proposal: Sanitize GET/POST parameters

Reinhard Führicht rf at typoheads.at
Mon Jul 5 16:27:02 CEST 2010


Am 2010-07-05 15:24, schrieb Jigal van Hemert:
> Reinhard Führicht wrote:
>> TYPO3 doesn't sanitize the values submitted in GET or POST and leaves
>> it to the extension authors or the writers of TypoScript to care about
>> XSS and SQLI.
>
> It's very hard to filter this and in many cases it's not necessary at
> all. For example, converting a parameter to an integer makes complicated
> filtering a waste of resources.

I think it is necessary in all cases, except for integer parameters of 
course. These parameters will not have to be filtered.

>
>> Furthermore TypoScript-Code like this can be very dangerous:
>>
>> lib.something = TEXT
>> lib.something.data = GPvar:myParam
>
> In general it is the responsibility of the administrator who wrote the
> Typoscript code to make sure it's safe.
> For a TEXT object htmlspecialchars will be enough to prevent HTML to be
> injected in a page.

Everytime I use any url parameter in TypoScript or in my PHP code, I 
have to worry about security. In my view it would be much more 
comfortable to be able to globally manage the url parameters (However 
the TypoScript my look like).


>
> In the case of queries, the 'select' property has been extended in TYPO3
> 4.4 to support markers. The values which replace these markers are
> properly quoted and escaped. By using markers you can safely use
> GET/POST values inside queries in Typoscript.

see above.

>
>> The patch also adds a new script for XSS filtering because RemoveXSS
>> is not really reliable in my view.
>
> Can you give specify in which areas the RemoveXSS version which is
> included in the core is not really reliable? It already filters a lot of
> clever XSS attacks. Suggestions to improve it are always welcome!

As stated in my other post, RemoveXSS works fine. Apparently, the 
misbehaviour got fixed some time ago.

>
>> intParams:
>> Will call intval() on each parameter in the list
>
> There is already a function to convert to integer in Typoscript and of
> course in the API for extensions.

see above: I have to do this everytime I use a parameter in TypoScript 
and this sucks :-)

>
>> badWords:
>> These words will be stripped out of the parameter content
>
> As you may have seen in RemoveXSS, stripping 'bad words' is not really
> simple. There are a lot of sneaky tactics to disguise a 'bad word' to
> make it harder to detect. RemoveXSS tries to render these 'bad words'
> harmless despite attempts to hide them.

I know that bad word filtering is more complicated than doing a simple 
str_replace(), right now the provided code is just concept work, no 
bullet-proofness :-)

>
> Good to have someone thinking about security!
>

There are clever guys taking care of securing TYPO3 and they do great 
work. I just thought maybe this could be a simple way to provide a more 
comfortable solution.





More information about the TYPO3-dev mailing list