Welcome Guest, Not a member yet? Register   Sign In
Are you sure about handling SECURITY?!
#6

(07-17-2016, 01:22 PM)PaulD Wrote:
Quote:about regex that you mentioned it's overkill! I think it is so powerful and I use it. In this case, maybe you're right, but in other cases, it will be useful and I can validate input better. Suppose users must fill an input like this: 2016-11-05. With regex I have more control on format and also inserted values that must be integers.

Well fair enough, regex is very powerful. But your example of a date is a bad one. There is nothing more frustrating that a form that expects a date in a format you do not normally use. Forcing a user to input dates in a certain format can kill the user experience. I would use a datepicker. Validate length, and if it is not a valid input it would fail the date conversion and an appropriate message would appear.

Quote:I can validate inputs (SCENARIO 1) with form validation library while accepting data via form submitting. If they are valid, insert them into database. When I read these values to send as HTML output, I must validate via PHP built-in functions like intval, filter_var or..., if they passed validations (validating inputs is done), now with xss_clean or HTML Purifier, I escape them and finally echo them in view file and send them to user browser, right?
Input:
When you insert them into your database you need to escape the values. (Or use query builder that will attempt to escape them for you). So yes, validate (is the type of data you were expecting) then escape (make it safe for the database).
Output:
I would say that it depends on the usage. Lets say a user is inputting a comment. Your app generates the date. When you read it from the database you do not need to validate that it is a date. Suppose the date needs to be a future date, then you would validate that it is a future date. If it is user generated text, you may need to validate that it exists, or is not null. That is validation. You would then need to filter on output, so xss_clean it, if that is appropriate in your scenario.

Quote:In SCENARIO 2 (that I've HTML tags), the validation is not simple. so I use HTML Purifier and then store them into database. In this case when I want to output them as HTML, should I use HTML Purifier again? Or store them without HTML Purifier and when I output them, use it?
I purify on input, but that is not right. You should validate (is it set, the right length, etc) and accept the users input (fully escaped) for the database. It is on output that you need to use purifier in this example, as you want the tags intact, but scripts and potentially dangerous content removed. You can white-list the allowed tags. But if you purify on input you are changing the users input in an irreversible way, which might be problematic in certain usages. You only need to purify it once.

Quote:Both of users that replied to this question, do not say clearly xss_clean is better or HTML Purifier (as third party)! When I use xss_clean, if there is an <script> tag, it will print [removed], and HTML Purifier remove it.
Is an apple better than a pear? They are different tools that do different things.

Quote:One more thing is I, as admin, write posts with full of tags. In this case, I use <script> tags and must be there. How could I handle this? When I use xss_clean or HTML Purifier, they removed <script>! What should I do?
I would address why you are putting scripts into posts. If you must, you could write an exception somewhere that says 'if this post was written by an admin do not purify it' or similar, but I think putting scripts into posts is not a good idea in the first place. Your posts output should treat all posts as though they were from un-trusted sources. Any js should really not be in the middle of your page, so you need a new system to add javascript files or inline to your page, dependent on the post. Personally I do not ever put js into a database.

Having said all that, I think MWhitney's answer was very thorough, and is a far more experienced and better coder than I am, so I would reread and listen to what he said more than me. As he said:
Quote:you're not going to get a lot of specific answers on security questions which can be applied to every circumstance.

Best wishes,

Paul.


Thanks again for attention...

You said:
Quote:Is an apple better than a pear? They are different tools that do different things.

I ask that question because @mwhitney said:

Quote:The best tool to use to escape the output is probably going to be either xss_clean() or HTML Pufier.

if escaping output can be done with either xss_clean() or HTML Pufier, while the first one is CI built-in and the second one is a third party, I ask that question! Otherwise I know about that fruits and...!

about putting js in the post and specially in the middle of the page... You're right and I agree with this approach. I will find another solution that do not rely on js.

thanks again...
Reply


Messages In This Thread
RE: Are you sure about handling SECURITY?! - by pb.sajjad - 07-17-2016, 02:46 PM



Theme © iAndrew 2016 - Forum software by © MyBB