[Phpmyadmin-devel] guidelines for avoiding security pitfalls
Marc Delisle
marc at infomarc.info
Sun Apr 1 14:11:58 CEST 2012
Le 2012-03-31 11:02, Dieter Adriaenssens a écrit :
> Op 28 maart 2012 14:37 heeft Marc Delisle <marc at infomarc.info> het
> volgende geschreven:
>> Le 2012-03-28 04:53, Michal Čihař a écrit :
>>> Hi
>>>
>>> Dne Tue, 27 Mar 2012 22:01:05 +0200
>>> Dieter Adriaenssens <dieter.adriaenssens at gmail.com> napsal(a):
>>>
>>>> As discussed on the team meeting in February, I started creating a
>>>> wiki page with some guidelines for avoiding security bugs [0].
>>>> The page is not finished yet, I just set out some ideas, that I will
>>>> work out in the next few days. Feel free to comment, improve or add
>>>> guidelines as you see fit.
>>>>
>>>> [0] http://wiki.phpmyadmin.net/pma/Security_pitfalls
>>>
>>> Thanks, looks great so far!
>>
>> Yes, thanks. I'm wondering, are there places where we really use
>> htmlentities() for protection?
>
> htmlentities() is not much used (see lower), shall we replace them all
> by htmlspecialchars and drop the htmlentities() from the guidelines?
It would be more prudent to have a look at them, one by one, and see
their exact purpose.
Anyway, some of them are under libraries/tcpdf and some under /test.
In the PHP Architect guide to PHP security by one of the PHP core
developers, I checked the chapter about XSS. I could not find a
suggestion to use htmlentities(); however, htmlspecialchars() does not
find all XSS, so they suggest using preg_replace() with some clever
patterns.
>
> Using htmlspecialchars() is sufficient to protect against XSS (and
> possibly messing up of the html structure),
> htmlentities() just converts more characters into their HTML character
> entity equivalents (for example ü will become ü)
>
> Current occurences of escaping/sanitizing functions in PMA codebase:
>
> htmlentities() : 51
> htmlspecialchars() : 1041
> PMA_sanitize() : 40
> PMA_sanitize_file() : 3
>
>> Also I think we should talk about PMA_sanitize().
>
> Yes, but it should not be used in all cases?
>
Maybe, but it would be slower than just plain htmlspecialchars(). Also,
with the default parameters of PMA_sanitize(), it just replaces "<" and
">" and takes care of our special formatting codes.
--
Marc Delisle
http://infomarc.info
More information about the Developers
mailing list