[TYPO3-dev] Proposal: Sanitize GET/POST parameters
Dmitry Dulepov
dmitry at typo3.org
Tue Jul 6 17:04:00 CEST 2010
Hi!
Reinhard Führicht wrote:
> TYPO3 doesn't sanitize the values submitted in GET or POST and leaves it
> to the extension authors or the writers of TypoScript to care about XSS
> and SQLI.
I recognize the danger but I think that leaving it up to developers what to
do with data is a good idea. We'd better educate the developers instead of
trying to make workarounds. Just an opinion...
> The patch also adds a new script for XSS filtering because RemoveXSS is
> not really reliable in my view. To make the new script work, there's a
> need to do some basic charset detection to be able to handle UTF-8
> correctly.
Please, do not make stdWrap function longer. Your new code should go into
the separate function with a good name that can be called to perform its
own task. stdWrap is already long enough.
Logically sanitizing does not belong to stdWrap. It is a generic purpose
code. It would be better to call it in index.php, not in stdWrap. Your
current solution does not work for eID, for example.
> I would like to hear your opinions about that. Is this a useful feature?
As I said, I'd rather leave it to developers... But I do not insist. I
understand tyhat many developers have no clue how dangerous XS can be.
--
Dmitry Dulepov
TYPO3 core&security teams member
Twitter: http://twitter.com/dmitryd
Read more @ http://dmitry-dulepov.com/
More information about the TYPO3-dev
mailing list