Project

General

Profile

Bug #7402

Inconsistent use of htmlentities validation checks

Added by Phillip Davis 4 months ago. Updated 4 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Web Interface
Target version:
-
Start date:
03/17/2017
Due date:
% Done:

0%

Affected version:
All
Affected Architecture:

Description

Forum: https://forum.pfsense.org/index.php?topic=127350.0

Various pages have a loop through the input parameters ($_POST $_REQUEST etc) checking for htmlentities() that the user has tied to "sneak in". It is done a bit differently in different pages, e.g. see:
firewall_nat_edit.php
firewall_nat_1to1_edit.php
firewall_nat_out_edit.php

or not at all:
firewall_rules_edit.php

This means that on some GUI pages the user can put characters like double-quotes, "<", ">" in the description field, and in others they cannot. It makes for an inconsistent user experience.

Sort out what htmlentities() etc input validation is really needed to protect against??? and then implement it consistently across the code.

History

#1 Updated by BBcan177 . 4 months ago

How about the use of filter_var: http://php.net/manual/en/filter.filters.php

filter_var($value, FILTER_SANITIZE_STRING)

#2 Updated by Phillip Davis 4 months ago

https://github.com/pfsense/pfsense/commit/11800cffd5bd0731596324cd4d26f829bf198174 allows users to put stuff like "&" or "<" in the description field.

The code is still inconsistent across pages, so needs some understanding of exactly what and why and then implement consistently.

Also available in: Atom PDF