[Phpmyadmin-devel] htmlspecialchars in PMA_Error
J.M.
me at mynetx.net
Fri Mar 30 23:01:28 CEST 2012
>> Do we prefer using trigger_error() or the direct PMA_Message::display variant?
>
> Generally anything what comes as an error from PHP needs to be escaped,
> so there are two options:
>
> - pass our error messages to trigger_error as some object (let's call
> it SafeString for now) and if error handler sees SafeString, it won't
> do any processing of that
>
> - do not use trigger_error for anything what includes markup
>
> I'd prefer first solution (actually marking strings as safe to output
> is generally useful thing to prevent XSS).
The concept would be great—but trigger_error only accepts strings. See
the signature here:
bool trigger_error ( string $error_msg [, int $error_type = E_USER_NOTICE ] )
I suggest a workaround. We might store the message’s MD5 hash in a
global variable, like this:
function whitelist_error($errstr) {
if (!isset($GLOBALS['error_whitelist'])) {
$GLOBALS['error_whitelist'] = array();
}
$GLOBALS['error_whitelist'][] = md5($the_message);
}
Within the PMA_Error_Handler::handleError function, we would check if
the current $errstr is whitelisted:
// if error message is not whitelisted, sanitize it
if (! isset($GLOBALS['error_whitelist'])
|| ! in_array(md5($errstr), $GLOBALS['error_whitelist'])) {
$errstr = htmlspecialchars($errstr);
}
$error = new PMA_Error($errno, $errstr, $errfile, $errline);
But looking at this, do we still prefer trigger_error over directly
echoing PMA_Error objects as with The phpMyAdmin configuration storage
is not completely configured in main.php line 322?
More information about the Developers
mailing list