Jump to content

[SOLVED] allow users to input css code inside module configuration and sanitize value


jploch
 Share

Recommended Posts

Hey folks,

I am currently building a module where the user can input css code inside a InputfieldTextArea on the module configuration.
Normally I would just let the user insert a path to a file, but in this case I want the user to be able to insert css code.

I am outputting the value of the field like this:

<style> <?= $this->sanitizer->purify($myModule->customStyles); ?> </style>

How would you guys prevent malicious code getting saved to the database? Or is ProcessWire sanitizing the value automatically on save? (The module setting will only be available to superusers).

Link to comment
Share on other sites

6 hours ago, jploch said:

How would you guys prevent malicious code getting saved to the database?

6 hours ago, jploch said:

(The module setting will only be available to superusers).

You could apply the purify sanitizer when the field value is saved by hooking InputfieldTextarea::processInput().

But looking at it another way, it isn't really possible to guard against a malicious superuser - they could destroy the site in any number of ways. Therefore you have to accept that superuser is a role for trusted users only.

  • Like 3
Link to comment
Share on other sites

13 hours ago, Robin S said:

You could apply the purify sanitizer when the field value is saved by hooking InputfieldTextarea::processInput().

Hey @Robin S thanks for your advice! I think you are right, it's not really possible to protect against a malicious superuser account (e.g. If it got hacked). Since the code is saved as a string anyway, I don't think it would cause harm, even if there would be php or javascript code in the field right?

But I feel better to use the hook you mentioned. Here is the code, wich works nicely:

public function __construct() {
	$this->addHookBefore('InputfieldTextarea::processInput', $this, 'sanitizeValue');
}

public function sanitizeValue(HookEvent $event) {
	$input = $event->arguments(0);
	$input->customStyles = strip_tags($input->customStyles, '');
	$event->arguments(0, $input);
}
  • Like 2
Link to comment
Share on other sites

  • jploch changed the title to [SOLVED] allow users to input css code inside module configuration and sanitize value

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...