Op 28 maart 2012 14:37 heeft Marc Delisle marc@infomarc.info het volgende geschreven:
Le 2012-03-28 04:53, Michal Čihař a écrit :
Hi
Dne Tue, 27 Mar 2012 22:01:05 +0200 Dieter Adriaenssens dieter.adriaenssens@gmail.com napsal(a):
As discussed on the team meeting in February, I started creating a wiki page with some guidelines for avoiding security bugs [0]. The page is not finished yet, I just set out some ideas, that I will work out in the next few days. Feel free to comment, improve or add guidelines as you see fit.
Thanks, looks great so far!
Yes, thanks. I'm wondering, are there places where we really use htmlentities() for protection?
htmlentities() is not much used (see lower), shall we replace them all by htmlspecialchars and drop the htmlentities() from the guidelines?
Using htmlspecialchars() is sufficient to protect against XSS (and possibly messing up of the html structure), htmlentities() just converts more characters into their HTML character entity equivalents (for example ü will become ü)
Current occurences of escaping/sanitizing functions in PMA codebase:
htmlentities() : 51 htmlspecialchars() : 1041 PMA_sanitize() : 40 PMA_sanitize_file() : 3
Also I think we should talk about PMA_sanitize().
Yes, but it should not be used in all cases?