Bug #2851

TextValidator is insecure

Added by Jochen Rau over 10 years ago. Updated almost 9 years ago.

Status:
Resolved
Priority:
Must have
Category:
Validation
Target version:
-
Start date:
2009-03-16
Due date:
% Done:

0%

PHP Version:
Has patch:
Complexity:

Description

The TextValidator is insecure. It filters an input string based on a black list only with ASCII chars:

if (!is_string($value) || preg_match('/<[\/]*[a-z,A-Z,0-9]*>/', $value)) {
[...]
}

XSS injections could be decoded e.g. in hexadecimal format. I propose the following solution:

if ($value !== filter_var($value, FILTER_SANITIZE_STRING)) {
[...]
}

-- jochen

TextValidator.diff View (577 Bytes) Jochen Rau, 2009-03-16 12:13


Related issues

Related to TYPO3.Flow - Bug #3977: TextValidator is insecure Rejected

Associated revisions

Revision 9f5ed7f9 (diff)
Added by Karsten Dambekalns over 10 years ago

FLOW3:
  • TextValidator now uses filter_var() to check value, refs #2851

History

#1 Updated by Karsten Dambekalns over 10 years ago

  • Status changed from New to Accepted
  • Assignee changed from Andreas Förthner to Karsten Dambekalns

Won by Jochen Weiland during the bug auction at T3BOARD09

#2 Updated by Karsten Dambekalns over 10 years ago

  • Assignee changed from Karsten Dambekalns to Andreas Förthner

#3 Updated by Andreas Förthner over 10 years ago

  • Status changed from Accepted to Resolved

I could not find any other XSS strings, as they all need some kind of HTML-Tag in the string. Encoded tags are already sanitized.

Also available in: Atom PDF