Input validation, cleanup and globals_get parameters

(Douglas (@finnatic at @waikato)) #1

Does anyone have any code snippets they could share that the use for input validation and cleanup of globals_get parameters?

In other systems I tend to process input variables with a regexp to discard unwanted characters or code (e.g. unwanted html that someone’s trying an XSS attack with or similar) - and I’m hoping someone might have some code they could share?

(Bart Banda) #2

Safest thing is to always use ^htmlentities:ENT_HTML5 modifier after it:

(Douglas (@finnatic at @waikato)) #3

^striphtml would seem to be abetter modifier in this case to avoid XSS attacks where a get variable is being output on the page as well as being used in a search / filter mechanism?

What I’d love is an example of using the regexp asset to do something like a discard-anything-but-these-characters or discard-the-input-if-it-doesn’t-match-this-pattern regexp which we’ve used elsewhere where user inputs need to be sanitised.

(Bart Banda) #4

^stiphtml doesn’t strip things like double and single quotes. ^htmlentities is much safer, read more here:

I assume you still want to strip all tags, which htmlentities does (well, it escapes them).

You could maybe also use ^replace with some basic regex to replace everything, except for a few characters, with nothing, if you didn’t want to use a regex asset?