Bug #3977
TextValidator is insecure
| Status: | Rejected | Start date: | |||
|---|---|---|---|---|---|
| Priority: | Should have | Due date: | |||
| Assigned To: | - | % Done: | 20% |
||
| Category: | Validation | ||||
| Target version: | - | Estimated time: | 6.00 hours | ||
| PHP Version: | Complexity: | ||||
| Has patch: | No | Affected Flow version: | FLOW3 1.0.0 |
Description
The TextValidator currently allows strings like
%3cspan style="color: #BBBBBB;"%3ea nice text%3c/span%3e
It seems like we can't solve this completely with filter_var because then characters like percent, semikolon, quotes etc. can't be used in a text. In general the test case lacks realistic string which should pass the validator.
TextValidatorTest.php.patch
- Patch for the unit test
(4.8 kB)
Related issues
Associated revisions
[~BUGFIX] FLOW3 (Validation): The ValidatorResolver test case failed - but only if the Blog package was installed. This was due to some Blog model being used by a data provider which in reality should have been a sample, not existing class. Fixed that.
[~TASK] FLOW3 (Validation): The TextValidator was too restrictive because it did not allow line breaks and other common characters - now it does. However, it's not really secure yet. Relates to #3977
[+BUGFIX] Fluid (Core): Added some safe guard and aception to the Abstract Node which would exit with a fatal error in some cases.
[TASK] Improve TextValidator unit tests
This introduces more test texts for the TextValidator tests.
Change-Id: Ie461a82fec5ead10941031c53e32694d4d0b44d2
Related: #3977
Releases: 1.0, 1.1
History
#1 Updated by Robert Lemke almost 6 years ago
- Target version deleted (
1.0 alpha 3)
#2 Updated by Robert Lemke over 5 years ago
- Target version set to 1.0 alpha 8
#3 Updated by Karsten Dambekalns over 5 years ago
- File TextValidatorTest.php.patch added
- Priority changed from Could have to Should have
Attached a patch for the unit test that makes adding new valid and invalid input easier.
#4 Updated by Robert Lemke over 5 years ago
- Status changed from New to Accepted
- Assigned To set to Robert Lemke
- % Done changed from 0 to 20
- Estimated time set to 6.00
#5 Updated by Robert Lemke over 5 years ago
- Start date deleted (
2009-03-16)
#6 Updated by Karsten Dambekalns over 5 years ago
- Target version changed from 1.0 alpha 8 to 1.0 alpha 9
#7 Updated by Robert Lemke about 5 years ago
- Target version deleted (
1.0 alpha 9)
#8 Updated by Karsten Dambekalns almost 4 years ago
- Affected Flow version set to FLOW3 1.0.0
#9 Updated by Bastian Waidelich over 3 years ago
- Has patch set to No
IMO TextValidator should be removed as it depends on the context whether a string is insecure or not (also see comment at #6121)
#10 Updated by Christian Müller over 3 years ago
- Status changed from Accepted to Rejected
- Assigned To deleted (
Robert Lemke)
The test improvements are in review now, I will close this, we could decide to deprecate the TextValidator at some point. I added also some longer comment to the TextValidator to point out that it won't make sure the validated string is secure in all possible output environments.