Re: [VuFind-Tech] Cross-site scripting

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Demian Katz schrieb:

> As I see it, there are two basic approaches to this:
> 
> 1.) Sanitize the data as it comes in -- as Till did in his patch.

That was just a "fix as quick and easy as possible" solution. I am even 
not sure, if that is enough or a correct approach, because I don't know 
much of all these XSS issues and how to avoid them. So I don't recommend 
  using that!

> Personally, I prefer approach #2 -- I feel it's a little more 
> predictable.  

I don't think it's more predictable. Predictable is approach #1: 
Everything cleaned out is lost in any further step. So no interference 
with anything :-)

But approach #2 allows "fine grain" control of what is sanitized where 
for what kind of use. Eg. before sending user input to Solr there is 
some cleaning needed as well, though the Dismax handler is much more 
forgiving than the standard handler.
There are already some code fragments doing such sanitation (but only in 
regard to Solr), eg. cleanInput() in sys/Solr.php (in earlier times it 
was scattered over services/Search/Home.php).

> I'm 
> willing to take a stab at closing up the holes in this manner,

Great!

>  Is there any consensus on this issue?

I can live with both approaches. If taking #2, it's worth thinking about 
some kind of "central cleaning service" that may be called from all 
points in VuFind if needed (I guess that was one intention behind moving 
sanitation code from Home.php to Solr.php), so we have one defined place 
to handle those things. Otherwise you end up with different 
implementations of cleaning mechanisms, but none of them perfect and 
well maintained.
Maybe it's a good start to think about, where user input is used and 
needs to be treated. First things on my mind are: Data display, Solr, 
MySQL (though the database interface should care for cleanliness there). 
There are no critical eval(), system()-, exec()-, fopen(), passthru(), 
...-calls to the operating system, file system or sockets, are there?

Till

-- 
http://twitter.com/tillk