[TYPO3-dev] Proposal: Sanitize GET/POST parameters

Reinhard Führicht rf at typoheads.at
Tue Jul 6 17:20:36 CEST 2010


Am 2010-07-06 17:04, schrieb Dmitry Dulepov:
> Hi!
>
> Reinhard Führicht wrote:
>> TYPO3 doesn't sanitize the values submitted in GET or POST and leaves it
>> to the extension authors or the writers of TypoScript to care about XSS
>> and SQLI.
>
> I recognize the danger but I think that leaving it up to developers what to
> do with data is a good idea. We'd better educate the developers instead of
> trying to make workarounds. Just an opinion...

Not everybody who knows how to set up a TYPO3 Website is a developer.
And as you said below, not every developer and I add not every Certified 
Integrator and not every person with the knowledge to use stdWrap has 
knowledge about the dangers "out there".
In my view, basic security settings are mandatory. If a developer wants 
to take care about security himself, he should be able to set something 
like:

config.sanitizeGP.disable = 1

>
>> The patch also adds a new script for XSS filtering because RemoveXSS is
>> not really reliable in my view. To make the new script work, there's a
>> need to do some basic charset detection to be able to handle UTF-8
>> correctly.
>
> Please, do not make stdWrap function longer. Your new code should go into
> the separate function with a good name that can be called to perform its
> own task. stdWrap is already long enough.
>
> Logically sanitizing does not belong to stdWrap. It is a generic purpose
> code. It would be better to call it in index.php, not in stdWrap. Your
> current solution does not work for eID, for example.

Yes, of course. I made a small extension for this taks a while ago and 
used a hook in stdWrap to integrate my code. Therefore, for this 
proposal here, I more or less just copy-pasted the code from my 
extension into core.
If the code would be integrated into core, it must be totally rewritten, 
of course.

>
>> I would like to hear your opinions about that. Is this a useful feature?
>
> As I said, I'd rather leave it to developers... But I do not insist. I
> understand tyhat many developers have no clue how dangerous XS can be.
>





More information about the TYPO3-dev mailing list