huseyin Posted May 18, 2020 Share Posted May 18, 2020 Hello, if you deal with user input (Form data, Url variables etc) are your using only PW Sanitizer api or any more actions? Link to comment Share on other sites More sharing options...
huseyin Posted May 18, 2020 Author Share Posted May 18, 2020 As there is no answer... My english knowladge is limited. Probably you did not understand the question. Will try to (re)explain. How do you user input data sanitize? Is only PW sanitizer enough or what is your strategy against xss? Link to comment Share on other sites More sharing options...
thetuningspoon Posted May 18, 2020 Share Posted May 18, 2020 Hi huseyin, 1. Use the appropriate Sanitizer methods to test user input from post and get. Depending on the circumstance, you'll either want to validate (reject it completely if there's something wrong with it), or filter/sanitize it (accept it but strip out unwanted characters). If doing both filter and validate, do your validation AFTER your filtering. 2. Even more important than step #1 is to use escaping on your output. This means using htmlspecialchars() or htmlentities() or $sanitizer->entities() when you output any field from the database or user input to the page (if you have htmlentities setup on your field's output formatting, then you can skip this step for those fields). Even if you mess up on the filter/validation from #1, as long as you've escaped all of the html, you should be ok. 3. When using user input (get or post variables) inside ProcessWire selector strings, use the Sanitizer::selectorValue() method on the value first. Even better, just use Selector Arrays since selectorValue can sometimes strip out characters (quotes and commas) that you actually want to search for. 4. If you're using any SQL directly, you must use prepared statements to bind any user input, which automatically escapes the input for SQL. 5. For protection against Cross Site Request Forgery (CSRF), use ProcessWire's SessionCSRF class when building custom forms. See https://processwire.com/api/ref/session-c-s-r-f/ for details on how to use this. 6. Don't use GET for secret data (passwords, security codes, etc). That data can get picked up by browser extensions or appear in server logs that might get compromised. 7. Use SSL/https on your whole site. 12 1 Link to comment Share on other sites More sharing options...
huseyin Posted May 19, 2020 Author Share Posted May 19, 2020 Hello @thetuningspoon, Thank very much for your reply. These are realy very good informations. I have read them a few times. I am sure i will read some times. Thank you again... Link to comment Share on other sites More sharing options...
thetuningspoon Posted May 20, 2020 Share Posted May 20, 2020 Happy to help! Let me know if you want me to go into more detail on any of these and I will do my best. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now