Does anyone have any code snippets they could share that the use for input validation and cleanup of globals_get parameters?
In other systems I tend to process input variables with a regexp to discard unwanted characters or code (e.g. unwanted html that someone’s trying an XSS attack with or similar) - and I’m hoping someone might have some code they could share?
Safest thing is to always use ^htmlentities:ENT_HTML5 modifier after it: https://matrix.squiz.net/manuals/keyword-replacements/chapters/global-keywords#HTTP-Get-Variable
^striphtml would seem to be abetter modifier in this case to avoid XSS attacks where a get variable is being output on the page as well as being used in a search / filter mechanism?
What I’d love is an example of using the regexp asset to do something like a discard-anything-but-these-characters or discard-the-input-if-it-doesn’t-match-this-pattern regexp which we’ve used elsewhere where user inputs need to be sanitised.
^stiphtml doesn’t strip things like double and single quotes. ^htmlentities is much safer, read more here: http://php.net/manual/en/function.htmlentities.php
I assume you still want to strip all tags, which htmlentities does (well, it escapes them).
You could maybe also use ^replace with some basic regex to replace everything, except for a few characters, with nothing, if you didn’t want to use a regex asset?