Bug #2851

TextValidator is insecure

Added by Jochen Rau over 11 years ago. Updated about 10 years ago.

Status:
Resolved
Priority:
Must have
Category:
Validation
Target version:
-
Start date:
2009-03-16
Due date:
% Done:

0%

Estimated time:
PHP Version:
Has patch:
Complexity:

Description

The TextValidator is insecure. It filters an input string based on a black list only with ASCII chars:

if (!is_string($value) || preg_match('/<[\/]*[a-z,A-Z,0-9]*>/', $value)) {
[...]
}

XSS injections could be decoded e.g. in hexadecimal format. I propose the following solution:

if ($value !== filter_var($value, FILTER_SANITIZE_STRING)) {
[...]
}

-- jochen


Files

TextValidator.diff (577 Bytes) TextValidator.diff Jochen Rau, 2009-03-16 12:13

Related issues

Related to TYPO3.Flow - Bug #3977: TextValidator is insecureRejected

Actions
#1

Updated by Karsten Dambekalns over 11 years ago

  • Status changed from New to Accepted
  • Assignee changed from Andreas Förthner to Karsten Dambekalns

Won by Jochen Weiland during the bug auction at T3BOARD09

#2

Updated by Karsten Dambekalns over 11 years ago

  • Assignee changed from Karsten Dambekalns to Andreas Förthner
#3

Updated by Andreas Förthner over 11 years ago

  • Status changed from Accepted to Resolved

I could not find any other XSS strings, as they all need some kind of HTML-Tag in the string. Encoded tags are already sanitized.

Also available in: Atom PDF