Sanitize outputs

Permalink Browser Info Environment
Thank you for your great add-on. But I think you should add h() functions in the generated view.php files to sanitize user inputs.

<?php  if (isset($textbox) && trim($textbox) != ""){ ?>
<?php  echo h($textbox); ?>
<?php  } ?>

Please reconsider this.
Thanks again!

Type: Discussion
Status: Resolved
View Replies:
ramonleenders replied on at Permalink Reply

Thanks for you input on this. Can you explain to me what this does and the advantages over just echo'ing the input without calling this function? I mean, are you having troubles without calling this function? What could go wrong in scenarios? I'm willing to implement this of course, if I have reason to.

Kind regards,

hissy replied on at Permalink Reply
The only reason is security. Escaping some special characters with the h function will reduce the risks of XSS.
ramonleenders replied on at Permalink Reply
Hi Hissy,

Escaping output for text_box, text_area and email field types will do I assume? The rest of the fields got validation OR needs formatting (like WYSIWYG). Agree?

Kind regards,

hissy replied on at Permalink Reply
Yes, I agree that.

concrete5 Environment Information

# concrete5 Version
Core Version - 5.7.3
Version Installed - 5.7.3
Database Version - 20141219000000

# concrete5 Packages
Block Designer (0.9.8).

# concrete5 Overrides
blocks/back_to_top, blocks/book, languages/ja_JP, languages/site

# concrete5 Cache Settings
Block Cache - On
Overrides Cache - On
Full Page Caching - Off
Full Page Cache Lifetime - Every 6 hours (default setting).

# Server Software

# Server API

# PHP Version

# PHP Extensions
apache2handler, bcmath, bz2, calendar, Core, ctype, curl, date, dom, ereg, exif, fileinfo, filter, ftp, gd, gettext, hash, iconv, imap, intl, json, ldap, libxml, mbstring, mcrypt, mysql, mysqli, openssl, pcre, PDO, pdo_mysql, pdo_pgsql, pdo_sqlite, pgsql, Phar, posix, Reflection, session, SimpleXML, soap, sockets, SPL, sqlite3, standard, tokenizer, wddx, xml, xmlreader, xmlwriter, xsl, yaz, zip, zlib.

# PHP Settings
max_execution_time - 30
log_errors_max_len - 1024
max_file_uploads - 20
max_input_nesting_level - 64
max_input_time - 60
max_input_vars - 1000
memory_limit - 128M
post_max_size - 32M
sql.safe_mode - Off
upload_max_filesize - 32M
ldap.max_links - Unlimited
mysql.max_links - Unlimited
mysql.max_persistent - Unlimited
mysqli.max_links - Unlimited
mysqli.max_persistent - Unlimited
pcre.backtrack_limit - 1000000
pcre.recursion_limit - 100000
pgsql.max_links - Unlimited
pgsql.max_persistent - Unlimited
session.cache_limiter - <i>no value</i>
session.gc_maxlifetime - 1440
soap.wsdl_cache_limit - 5

Browser User-Agent String

Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36

Hide Post Content

This will replace the post content with the message: "Content has been removed by an Administrator"

Hide Content

Request Refund

You may not request a refund that is not currently owned by you.