[Phpmyadmin-devel] guidelines for avoiding security pitfalls
Marc Delisle
marc at infomarc.info
Sun Apr 29 18:06:12 CEST 2012
Le 2012-04-29 09:34, Dieter Adriaenssens a écrit :
> 2012/4/1 Marc Delisle <marc at infomarc.info>:
>> Le 2012-04-01 13:49, Rouslan Placella a écrit :
>>> On 01/04/12 13:11, Marc Delisle wrote:
>>>> Le 2012-03-31 11:02, Dieter Adriaenssens a écrit :
>>>>> Op 28 maart 2012 14:37 heeft Marc Delisle <marc at infomarc.info> het
>>>>> volgende geschreven:
>>>>>> Le 2012-03-28 04:53, Michal Čihař a écrit :
>>>>>>> Hi
>>>>>>>
>>>>>>> Dne Tue, 27 Mar 2012 22:01:05 +0200
>>>>>>> Dieter Adriaenssens <dieter.adriaenssens at gmail.com> napsal(a):
>>>>>>>
>>>>>>>> As discussed on the team meeting in February, I started creating a
>>>>>>>> wiki page with some guidelines for avoiding security bugs [0].
>>>>>>>> The page is not finished yet, I just set out some ideas, that I will
>>>>>>>> work out in the next few days. Feel free to comment, improve or add
>>>>>>>> guidelines as you see fit.
>>>>>>>>
>>>>>>>> [0] http://wiki.phpmyadmin.net/pma/Security_pitfalls
>>>>>>>
>>>>>>> Thanks, looks great so far!
>>>>>>
>>>>>> Yes, thanks. I'm wondering, are there places where we really use
>>>>>> htmlentities() for protection?
>>>>>
>>>>> htmlentities() is not much used (see lower), shall we replace them all
>>>>> by htmlspecialchars and drop the htmlentities() from the guidelines?
>>>>
>>>> It would be more prudent to have a look at them, one by one, and see
>>>> their exact purpose.
>>>
>>> You'd use htmlentities() when you need to escape single quotes,
>>> htmlspecialchars() doesn't do that.
>>
>> From the PHP manual for htmlspecialchars(), we can use the ENT_QUOTES
>> flag which does this:
>> "'" (single quote) becomes ''' only when ENT_QUOTES is set.
>
> I've added the ENT_QUOTES directive to the page and also added some
> examples for escaping url's and encoding url parameter values.
Great.
>
>>>
>>> E.g.:
>>> $name = htmlentities("foo's bar", ENT_QUOTES);
>>> echo "<input name='name' value='$name' />";
>>>
>>>> Anyway, some of them are under libraries/tcpdf and some under /test.
>>>>
>>>> In the PHP Architect guide to PHP security by one of the PHP core
>>>> developers, I checked the chapter about XSS. I could not find a
>>>> suggestion to use htmlentities(); however, htmlspecialchars() does not
>>>> find all XSS, so they suggest using preg_replace() with some clever
>>>> patterns.
>
> Do you have a link to that, or do you own a paper copy?
Sorry, paper copy.
>
>>>>>
>>>>> Using htmlspecialchars() is sufficient to protect against XSS (and
>>>>> possibly messing up of the html structure),
>>>>> htmlentities() just converts more characters into their HTML character
>>>>> entity equivalents (for example ü will become ü)
>>>>>
>>>>> Current occurences of escaping/sanitizing functions in PMA codebase:
>>>>>
>>>>> htmlentities() : 51
>>>>> htmlspecialchars() : 1041
>>>>> PMA_sanitize() : 40
>>>>> PMA_sanitize_file() : 3
>>>>>
>>>>>> Also I think we should talk about PMA_sanitize().
>>>>>
>>>>> Yes, but it should not be used in all cases?
>>>>>
>>>>
>>>> Maybe, but it would be slower than just plain htmlspecialchars(). Also,
>>>> with the default parameters of PMA_sanitize(), it just replaces "<" and
>>>> ">" and takes care of our special formatting codes.
>>>>
--
Marc Delisle
http://infomarc.info
More information about the Developers
mailing list