[TYPO3-dev] Proposal: Sanitize GET/POST parameters

Dmitry Dulepov dmitry at typo3.org
Tue Jul 6 17:04:00 CEST 2010


Hi!

Reinhard Führicht wrote:
> TYPO3 doesn't sanitize the values submitted in GET or POST and leaves it
> to the extension authors or the writers of TypoScript to care about XSS
> and SQLI.

I recognize the danger but I think that leaving it up to developers what to
do with data is a good idea. We'd better educate the developers instead of
trying to make workarounds. Just an opinion...

> The patch also adds a new script for XSS filtering because RemoveXSS is
> not really reliable in my view. To make the new script work, there's a
> need to do some basic charset detection to be able to handle UTF-8
> correctly.

Please, do not make stdWrap function longer. Your new code should go into
the separate function with a good name that can be called to perform its
own task. stdWrap is already long enough.

Logically sanitizing does not belong to stdWrap. It is a generic purpose
code. It would be better to call it in index.php, not in stdWrap. Your
current solution does not work for eID, for example.

> I would like to hear your opinions about that. Is this a useful feature?

As I said, I'd rather leave it to developers... But I do not insist. I
understand tyhat many developers have no clue how dangerous XS can be.

-- 
Dmitry Dulepov
TYPO3 core&security teams member
Twitter: http://twitter.com/dmitryd
Read more @ http://dmitry-dulepov.com/




More information about the TYPO3-dev mailing list