[Rejected] Sanitizing User Profiles
#9
This user has been denied support. This user has been denied support.
You can't rely on database content to be already sanitized. So "already sanitized from MyBB" would mean by some MyBB API (like if MyBB's function.php had a format_usertitle()) or one of MyBB's public variables. Then you can rely on it - have to rely on it - as otherwise you'd double-sanitize which is &amp. But not if you query the data yourself (unless there's a database query API that spews out pre-sanitized values).

It can't work because if you put data sanitized into a database, it breaks queries and searches. Even if you encode the query string too, there is more than one way to encode a string with HTML entities and the implementation may be subject to change over time. So the strings might not match even if what they represent is identical.

And then you still have to consider people tampering with their database in phpmy/adminer. If you can make MyBB produce illegal output it's bad, even if it was done by database tampering.



Does the new template engine for MyBB 1.9 have any built-in sanitization feature? Most of the time (say, if you are not parsing bbcode, or well put templates inside templates I guess), the template should be the sole authority on HTML structure and all $vars should just be content/strings so the template engine could handle sanitization centrally rather than that garden variety of htmlspecialchars strewed all over everywhere.
Reply


Messages In This Thread
Sanitizing User Profiles - by labrocca - 2018-04-26, 06:13 PM
RE: Sanitizing User Profiles - by Devilshakerz - 2018-04-26, 07:40 PM
RE: Sanitizing User Profiles - by labrocca - 2018-04-26, 08:21 PM
RE: Sanitizing User Profiles - by Euan T - 2018-04-26, 09:42 PM
RE: Sanitizing User Profiles - by labrocca - 2018-04-26, 10:20 PM
RE: Sanitizing User Profiles - by frostschutz - 2018-04-26, 11:01 PM
RE: Sanitizing User Profiles - by labrocca - 2018-04-27, 05:54 PM
RE: Sanitizing User Profiles - by frostschutz - 2018-04-27, 07:48 PM
RE: Sanitizing User Profiles - by Euan T - 2018-04-27, 06:52 PM
RE: Sanitizing User Profiles - by Devilshakerz - 2018-04-27, 08:12 PM
RE: Sanitizing User Profiles - by labrocca - 2018-04-27, 08:23 PM
RE: Sanitizing User Profiles - by Omar G. - 2018-04-28, 06:44 AM
RE: Sanitizing User Profiles - by labrocca - 2018-04-28, 02:41 PM

Forum Jump:


Users browsing this thread: 1 Guest(s)