Bug #2851
TextValidator is insecure
Status: | Resolved | Start date: | 2009-03-16 | |
---|---|---|---|---|
Priority: | Must have | Due date: | ||
Assigned To: | Andreas Förthner | % Done: | 0% |
|
Category: | Validation | |||
Target version: | - | |||
PHP Version: | Complexity: | |||
Has patch: | Affected Flow version: |
Description
The TextValidator is insecure. It filters an input string based on a black list only with ASCII chars:
if (!is_string($value) || preg_match('/<[\/]*[a-z,A-Z,0-9]*>/', $value)) {
[...]
}
XSS injections could be decoded e.g. in hexadecimal format. I propose the following solution:
if ($value !== filter_var($value, FILTER_SANITIZE_STRING)) {
[...]
}
-- jochen
Related issues
Associated revisions
FLOW3:
- TextValidator now uses filter_var() to check value, refs #2851
History
#1 Updated by Karsten Dambekalns over 6 years ago
- Status changed from New to Accepted
- Assigned To changed from Andreas Förthner to Karsten Dambekalns
Won by Jochen Weiland during the bug auction at T3BOARD09
#2 Updated by Karsten Dambekalns over 6 years ago
- Assigned To changed from Karsten Dambekalns to Andreas Förthner
#3 Updated by Andreas Förthner over 6 years ago
- Status changed from Accepted to Resolved
I could not find any other XSS strings, as they all need some kind of HTML-Tag in the string. Encoded tags are already sanitized.