Bellegueulle Damien
May 23, 2018, 2:47:01 PM5/23/18
to Fat-Free Framework
Hello,
Is it possible to automatically clean code of type "XSS,etc..." with the function "clean", but automatically for all commands of type "copyfrom" and via a parameter in the file config.ini, example: AUTOCLEAN = 1 ?
A good idea ?
Regards ,ikkez
May 24, 2018, 6:14:40 AM5/24/18
to Fat-Free Framework
the clean method is not completely XSS safe. it can remove tags, but it wont clean like attributes containing script calls on allowed tags.
regarding the copyfrom method: you can extend the mapper and extend this copyfrom method to add your own "clean" call, which can of course be controller by a config setting like AUTOCLEAN.
and regarding cleaning values in config files, you can do it like this:
[section1:Base->clean]
myvar=myval1
Bellegueulle Damien
May 25, 2018, 4:24:15 AM5/25/18
to Fat-Free Framework
Great, but how to expand mapper ?
<?php
/**
* XSS Class
*/
class Xss extends \DB\SQL\Mapper
{
protected $fields
function copyfrom($var,$func=NULL) {
global $f3;
if (is_string($var))
$var=\Base::instance()->$var;
if ($func)
$var=call_user_func($func,$var);
foreach ($var as $key=>$val)
if (in_array($key,array_keys($this->fields)))
$this->set($key,$f3->scrub($val));
}
}
Thank you in advance Reply all
Reply to author
Forward
0 new messages