[pLog-svn] r5466 - plog/branches/lifetype-1.2/class/summary/action
oscar at devel.lifetype.net
oscar at devel.lifetype.net
Wed May 30 17:50:43 EDT 2007
Author: oscar
Date: 2007-05-30 17:50:42 -0400 (Wed, 30 May 2007)
New Revision: 5466
Modified:
plog/branches/lifetype-1.2/class/summary/action/dousercreation.class.php
Log:
This is the first example where input filters are used to clean user input before it's even processed. By registering some input filters, we make sure that data is always cleaned up before being used. In this case this new feature is being used to fix a potential XSS vulnerability in the registration process as described here: http://bugs.lifetype.net/view.php?id=1314. Additionally, we have been able to remove all calls to Textfilter::filterAllHTML() from the perform() method because we know that data is already clean, as we linked most the request parameters to a filter via Properties::registerFilter()
Modified: plog/branches/lifetype-1.2/class/summary/action/dousercreation.class.php
===================================================================
--- plog/branches/lifetype-1.2/class/summary/action/dousercreation.class.php 2007-05-30 21:47:49 UTC (rev 5465)
+++ plog/branches/lifetype-1.2/class/summary/action/dousercreation.class.php 2007-05-30 21:50:42 UTC (rev 5466)
@@ -5,6 +5,8 @@
lt_include( PLOG_CLASS_PATH."class/data/validator/stringvalidator.class.php" );
lt_include( PLOG_CLASS_PATH."class/data/validator/usernamevalidator.class.php" );
lt_include( PLOG_CLASS_PATH."class/data/validator/passwordvalidator.class.php" );
+ lt_include( PLOG_CLASS_PATH."class/data/filter/htmlfilter.class.php" );
+ lt_include( PLOG_CLASS_PATH."class/data/filter/htmlentitiesfilter.class.php" );
lt_include( PLOG_CLASS_PATH."class/dao/users.class.php" );
lt_include( PLOG_CLASS_PATH."class/summary/view/doblogregistrationview.class.php" );
lt_include( PLOG_CLASS_PATH."class/summary/view/summaryusercreationview.class.php" );
@@ -19,6 +21,15 @@
{
$this->RegisterAction( $actionInfo, $request );
+ // apply some filters to the data in the request
+ $f = new HtmlFilter();
+ $f->addFilter( new HtmlEntitiesFilter());
+ $this->_request->registerFilter( "userName", $f );
+ $this->_request->registerFilter( "userFullName", $f );
+ $this->_request->registerFilter( "userEmail", $f );
+ $this->_request->registerFilter( "userPassword", $f );
+ $this->_request->registerFilter( "confirmPassword", $f );
+
// data validation and stuff like that :)
$this->registerFieldValidator( "userName", new UsernameValidator());
$this->registerFieldValidator( "userPassword", new PasswordValidator());
@@ -37,12 +48,11 @@
function perform()
{
// if all data is correct, then we can proceed and use it
- $tf = new Textfilter();
- $this->userName = $tf->filterAllHTML($this->_request->getValue( "userName" ));
- $this->userPassword = $tf->filterAllHTML($this->_request->getValue( "userPassword" ));
- $this->confirmPassword = $tf->filterAllHTML($this->_request->getValue( "userPasswordCheck" ));
- $this->userEmail = $tf->filterAllHTML($this->_request->getValue( "userEmail" ));
- $this->userFullName = $tf->filterAllHTML($this->_request->getValue( "userFullName" ));
+ $this->userName = $this->_request->getValue( "userName" );
+ $this->userPassword = $this->_request->getValue( "userPassword" );
+ $this->confirmPassword = $this->_request->getValue( "userPasswordCheck" );
+ $this->userEmail = $this->_request->getValue( "userEmail" );
+ $this->userFullName = $this->_request->getValue( "userFullName" );
$this->captcha = $this->_request->getValue( "userAuth" );
// check if there is already a user with the same username and quit if so
More information about the pLog-svn
mailing list