Bug #7402
openInconsistent use of htmlentities validation checks
0%
Description
Forum: https://forum.pfsense.org/index.php?topic=127350.0
Various pages have a loop through the input parameters ($_POST $_REQUEST etc) checking for htmlentities() that the user has tied to "sneak in". It is done a bit differently in different pages, e.g. see:
firewall_nat_edit.php
firewall_nat_1to1_edit.php
firewall_nat_out_edit.php
or not at all:
firewall_rules_edit.php
This means that on some GUI pages the user can put characters like double-quotes, "<", ">" in the description field, and in others they cannot. It makes for an inconsistent user experience.
Sort out what htmlentities() etc input validation is really needed to protect against??? and then implement it consistently across the code.
Updated by BBcan177 . almost 8 years ago
How about the use of filter_var: http://php.net/manual/en/filter.filters.php
filter_var($value, FILTER_SANITIZE_STRING)
Updated by Phillip Davis almost 8 years ago
https://github.com/pfsense/pfsense/commit/11800cffd5bd0731596324cd4d26f829bf198174 allows users to put stuff like "&" or "<" in the description field.
The code is still inconsistent across pages, so needs some understanding of exactly what and why and then implement consistently.